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About the NIAC 

The President's National Infrastructure Advisory Council (NIAC) is composed of senior executives from 
industry and state and local government who own and operate the critical infrastructure essential to 
modern life. The Council was established by executive order in October 2001 to advise the President 
on practical strategies for industry and government to reduce complex risks to the designated critical 
infrastructure sectors. 

At the President's request, NIAC members conduct in-depth studies on physical and cyber risks to 
critical infrastructure and recommend solutions that reduce risks and improve security and resilience. 
Members draw upon their deep experience, engage national experts, and conduct extensive research 
to discern the key insights that lead to practical federal solutions to complex problems. 

For more information on the NIAC and its work, please visit: 

https://www.dhs.gov/national-infrastructure-advisory-council . 


2 


K I I A The President's National 
I N l/\V^ Infrastructure Advisory Council 


















Catastrophic Power Outage Study 


Executive Summary 

The nation has steadily improved its ability to respond to major disasters and the power outages that often 
result. But increasing threats—whether severe natural disasters, cyber-physical attacks, electromagnetic 
events, or some combination—present new challenges for protecting the national power grid and 
recovering quickly from a catastrophic power outage. 


The President's National Infrastructure Advisory Council (NIAC) was tasked to examine the nation's ability 
to respond to and recover from a catastrophic power outage of a magnitude beyond modern experience, 

exceeding prior events in severity, scale, duration, and consequence. Simply put, how can the nation best 
prepare for and recover from a catastrophic power outage, regardless of the cause? 


After interviews with dozens of senior leaders and 
experts and an extensive review of studies and statutes, 
we found that existing national plans, response 
resources, and coordination strategies would be 
outmatched by a catastrophic power outage. This 
profound risk requires a new national focus. Significant 
public and private action is needed to prepare for and 
recover from a catastrophic outage that could leave the 
large parts of the nation without power for weeks or 
months, and cause service failures in other sectors— 
including water and wastewater, communications, 
transportation, healthcare, and financial services—that 
are critical to public health and safety and our national 
and economic security. 

Recommendations 


What is a catastrophic power outage? 

• Events beyond modern experience that 
exhaust or exceed mutual aid capabilities 

• Likely to be no-notice or limited-notice events 
that could be complicated by a cyber-physical 
attack 

• Long duration, lasting several weeks to 
months due to physical infrastructure 
damage 

• Affects a broad geographic area, covering 
multiple states or regions and affecting tens 
of millions of people 

• Causes severe cascading impacts that force 
critical sectors—drinking water and 
wastewater systems, communications, 
transportation, healthcare, and financial 
services—to operate in a degraded state 


The United States should respond to this problem in two overarching ways: 1) design a national approach to 
prepare for, respond to, and recover from catastrophic power outages that provides the federal guidance, 
resources, and incentives needed to take action across all levels of government and industry and down to 
communities and individuals; and 2) improve our understanding of how cascading failures across critical 
infrastructure will affect restoration and survival. 


There are a number of ongoing initiatives in both the public and private sector that are in line with our 
recommendations. We urge the continued advancement of these initiatives in conjunction with our 
recommendations. 


The NIAC was challenged to examine events that are beyond our nation's experience, yet would impact 
nearly every jurisdiction, industry, and citizen. The solutions we identified will require strong public-private 
collaboration— as the NIAC has recommended previously—to address the scale and significance of 
catastrophic power outages. 
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Recommendations Overview 




Design a National 
Approach for Catastrophic 
Power Outages 

Design a national approach for catastrophic power 
outage planning, response, and recovery to create a 
cross-sector, cross-government strategy. 


1 

Examine and clarify the federal authorities 
that may be exercised during a catastrophic power 
outage and grid security emergency and clearly identify 
the cabinet-level leadership and decision-making 
processes. 

2 

Develop a federal design basis and the design 
standards/criteria that identify what infrastructure 
sectors, cities, communities, and rural areas need to 
reduce the impacts and recover from a catastrophic 
power outage. 

3 

Develop guidance and provide resources for 
states, territories, cities, and localities to design 
community enclaves —areas that co-locate critical 
services and resources to sustain surrounding 
populaces, maintain health and safety, and allow 
residents to shelter in place. 

4 

Design and support a portfolio of incentives that 
provide financial support or remove financial and 
regulatory barriers to help companies and state, local, 
tribal, and territorial governments implement the 
recommendations included in this report. 


Next Steps 


/ \ / \ Mitigate Cross-Sector 
Interdependencies and 
Cascading Failures 

Identify cascading failures impacting key sectors, 
especially natural gas and communications to ensure their 
availability to aid power restoration, and identify actions 
to improve resilience to a catastrophic power outage. 


5 

Conduct a series of regional catastrophic 
power outage exercises that identify the second- 
and third-order cascading failures of an outage over 
time, as backup resources and mutual aid agreements 
are exhausted, and examine cross-sector supply chain 
and cyber risks that could delay re-energizing the grid. 

6 

Ensure that all critical natural gas 
transmission pipeline infrastructure has the 
appropriate standards, design, and practices 
to continue service during a catastrophic power 
outage and maintain rapid availability to support 
blackstart generations. 

7 

Develop or support a flexible, adaptable 
emergency communications system that all 
sectors can interoperably use, that is self-powered, 
and is reasonably protected against all hazards to 
support critical service restoration and connect 
infrastructure owners/operators, emergency 
responders, and government leaders. 


Our recommendations provide a path forward for enhancing the nation's capabilities. These actions require 
a whole-of-nation approach and strong public-private collaboration. Given the importance of this issue and 
the number of ongoing efforts, we request the National Security Council (NSC)—working with the lead 
agencies identified—provide a status update to the NIAC within nine months of the report's approval on 

how our recommendations are being implemented, progress being made on the ongoing initiatives, or any 
significant barriers to implementation. 
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Introduction: What the Nation Faces 

Across the nation, we experience major threats nearly every year: hurricanes, wildfires, flooding, droughts, 
and other serious disasters. For these events, the nation has well-established response processes where the 
federal government serves as a backstop for the robust efforts of individuals, businesses, communities, and 
states. Even as severe weather increases, the nation has steadily improved its ability to respond to growing 
disasters and resulting outages—improving planning and coordination, hardening infrastructure, and 
building strong mutual aid agreements. 

The risk posed by a catastrophic power outage, however, is not simply a bigger, stronger storm. It is 
something that could paralyze entire regions, with grave implications for the nation's economic and social 
well-being. The NIAC was tasked to examine the nation's ability to withstand a catastrophic power outage 
of a magnitude beyond modern experience, exceeding prior events in severity, scale, duration, and 
consequence. 

The NIAC was challenged to think beyond even our most severe power disruptions, imagining an outage that 
stretches beyond days and weeks to months or years, and affects large swaths of the country. Unlike severe 
weather disasters, a catastrophic power outage may occur with little or no notice and result from myriad 
types of scenarios: for example, a sophisticated cyber-physical attack resulting in severe physical 
infrastructure damage; attacks timed to follow and exacerbate a major natural disaster; a large-scale 
wildfire, earthquake, or geomagnetic event; or a series of attacks or events over a short period of time that 
compound to create significant physical damage to our nation's infrastructure. An event of this severity may 
also be an act of war, requiring a simultaneous military response that further draws upon limited resources. 

For the purpose of this study, the NIAC focused not on the cause, but rather on the consequences, which 
are best categorized as severe, widespread, and long-lasting. The type of event contemplated will include 
not only an extended loss of power, but also a cascading loss of other critical services—drinking water and 
wastewater, communications, financial services, transportation, fuel, healthcare, and others—which may 
slow recovery and impede re-energizing the grid. 

Most importantly, the scale of the event—stretching across states and regions, affecting tens of millions of 
people—would exceed and exhaust mutual aid resources and capabilities. The ability to share public and 
private resources across businesses and jurisdictions underpins our nation's emergency response plans and 
strategies today. (See Appendix C for a more detailed definition of a catastrophic outage). 

This profound threat requires a new national focus. The NIAC found that our existing plans, response 
resources, and coordination strategies would be outmatched by an event of this severity. Significant action 
is needed to prepare for a catastrophic power outage that could last for weeks or months. 

Our Task 

In May 2018, the NSC tasked the NIAC to build on the insights gathered during a scoping effort to develop 
findings and recommendations on how the public and private sectors can work together to further 
enhance and integrate critical infrastructure resilience with response and recovery actions to mitigate 
risks posted by catastrophic power outages. (See Appendix B for more information on the NIAC tasking). 
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Our Approach 

To better understand catastrophic power outages and how they are different from previously experienced 
disasters, the NIAC conducted a scoping effort—completed in June 2018—to identify the key issues that 
would need to be further explored. A Working Group of 10 NIAC members led this full study, and formed a 
Study Group of subject matter experts to vet and validate the results of the scoping effort and provide a 
crucial input. In total, we interviewed more than 60 senior leaders and subject matter experts from federal, 
state, and local governments, industry, academia, and nongovernmental organizations (NGOs). We 
reviewed more than 700 resources, including statutes, regulations, reports, articles, congressional 
testimony, and prior studies. 

Our recommendations seek to address the issues identified in two overarching ways: 1) design a national 
approach for catastrophic power outages that provides the guidance and incentives needed to take action 
across all levels of government and industry and down to communities and individuals; and 2) improve our 
understanding of how cascading failures across critical infrastructure will impact restoration and survival, 
enabling us to identify further actions needed to mitigate these failures. 

The federal government and industry are already leading many initiatives that are consistent with these 
recommendations. As set forth in subsequent sections, this study relies on and urges continued 
advancement of these initiatives. The study also encourages the adoption of new initiatives that will 
complement these ongoing efforts and lead to a better response to a catastrophic power outage. 
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Recommendations and Supporting Findings 

The complexity of the challenge posed by catastrophic power outages will require working across agencies, 
sectors, and levels of government to involve all stakeholders. For each recommendation we identify a 
cabinet-level secretary to lead the effort and be responsible for implementation. We have also identified 
agencies that should provide support, including primary support roles for agencies that will need to provide 
significant input, expertise, and assistance. We also include supporting findings based on insights from 
interviews and research, and ongoing federal and industry initiatives that are consistent with our 
recommendations and should continue to be advanced and supported. 


Recommendations Overview 





Design a National 
Approach for Catastrophic 
Power Outages 


Design a national approach for catastrophic power 
outage planning, response, and recovery to create a 
cross-sector, cross-government strategy. 


1 

Examine and clarify the federal authorities 
that may be exercised during a catastrophic power- 
outage and grid security emergency and clearly identify 
the cabinet-level leadership and decision-making 
processes. 

2 

Develop a federal design basis and the design 
standards/criteria that identify what infrastructure 
sectors, cities, communities, and rural areas need to 
reduce the impacts and recover from a catastrophic 
power outage. 

3 

Develop guidance and provide resources for 
states, territories, cities, and localities to design 
community enclaves —areas that co-locate critical 
services and resources to sustain surrounding 
populaces, maintain health and safety, and allow 
residents to shelter in place. 

4 

Design and support a portfolio of incentives that 
provide financial support or remove financial and 
regulatory barriers to help companies and state, local, 
tribal, and territorial governments implement the 
recommendations included in this report. 


?\ Mitigate Cross-Sector 
Interdependencies and 
Cascading Failures 

Identify cascading failures impacting key sectors, 
especially natural gas and communications to ensure their 
availability to aid power restoration, and identify actions 
to improve resilience to a catastrophic power outage. 


5 

Conduct a series of regional catastrophic 
power outage exercises that identify the second- 
and third-order cascading failures of an outage over 
time, as backup resources and mutual aid agreements 
are exhausted, and examine cross-sector supply chain 
and cyber risks that could delay re-energizing the grid. 

6 

Ensure that all critical natural gas 
transmission pipeline infrastructure has the 
appropriate standards, design, and practices 
to continue service during a catastrophic power 
outage and maintain rapid availability to support 
blackstart generations. 

7 

Develop or support a flexible, adaptable 
emergency communications system that all 
sectors can interoperably use, that is self-powered, 
and is reasonably protected against all hazards to 
support critical service restoration and connect 
infrastructure owners/operators, emergency 
responders, and government leaders. 
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Design a National Approach for Catastrophic Power Outages 


Design a national approach for catastrophic power outage planning, response, and recovery. 

Current planning frameworks focus on sector-by-sector preparedness and response, but in a catastrophic 
power outage, U.S. infrastructure and services will fail as a system. We need to take a systems approach— 
from the federal level down to the local level—to plan, design, and respond to these never-before- 
experienced events. This approach must move beyond existing planning and response frameworks and 
provide the guidance needed for an integrated cross-sector, cross-government strategy. The 
recommendations in this section provide a path forward for putting in place a national approach for dealing 
with catastrophic power outages. 


Recommendation I 


Examine and clarify the federal authorities that may be exercised during a 
catastrophic power outage and grid security emergency and clearly identify the 
cabinet-level leadership and decision-making processes. 

An event of this scale—with severe economic and national security implications—will require an 
unprecedented level of federal leadership, likely engage the military, and will see the federal government 
exercise authorities that have rarely or never been used. Infrastructure owners and operators and state 
leaders recognize this conceptually, yet it is unclear how command authorities will change, who will make 
decisions, and how resources will be coordinated. 

A. Conduct an examination of federal emergency authorities and identify how they could be 
activated, by whom, and what implications they would have for private-sector, state, and local 
responders and ultimately how they would support Presidential action. 

B. Identify the cabinet-level officials who would take the lead in a catastrophic power outage 
and establish how these officials will coordinate and implement response with the public and 
private sectors, and state, local, tribal, and territorial (SLTT) governments to manage the cascading 
cross-sector impacts of these events. 

C. Include and authorize catastrophic power outages as a high-priority mission for three 
key agencies: the Department of Energy (DOE), namely the Office of Electricity (OE) and Office of 
Cybersecurity, Energy Security, and Emergency Response (CESER); the Department of Homeland 
Security (DHS), namely the Federal Emergency Management Agency (FEMA) and the Cybersecurity 
and Infrastructure Security Agency (CISA); and the Department of Defense (DOD), namely U.S. 
Northern Command (NORTHCOM), U.S. Indo-Pacific Command (INDOPACOM), and the Defense 
Threat Reduction Agency (DTRA); and other agencies as appropriate. This authority should be 
underwritten with specific budget appropriations to provide the supporting resources necessary to 
achieve this mission, with clear roles and responsibilities identified for each agency. Identify and 
request that Congress provide any additional authorities and resources needed to execute the 
recommendations of this study. 

D. Enhance critical infrastructure sector participation at the National Infrastructure 
Coordinating Center (NICC) and National Cybersecurity and Communications 
Integration Center (NCCIC) to provide critical infrastructure sectors with a better 
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understanding of NICC and NCCIC operations, and position sector representatives to provide 
industry perspective and insights. Because catastrophic power outages are likely no-notice or 
limited-notice events, these key infrastructure representatives should be onsite full time to help 
identify issues and respond more quickly and efficiently. 

i. At a minimum, the Electric, Financial Services, and Communications Sectors should have 
representatives from the Sector Coordinating Councils (SCCs) or Information Sharing and 
Analysis Centers (ISACs), given the structure and organization of those sectors. 

ii. Other critical lifeline sectors, such as the Oil and Natural Gas (ONG) Subsector, Water and 
Wastewater Systems Sector, and Transportations Systems Sector should work with DHS to 
determine the appropriate representatives and level of engagement at the NICC and NCCIC 
to quickly and effectively engage and provide advisory input during a catastrophic power 
outage. 


Lead: Secretary of Homeland Security 

Support: Department of Energy (Primary), Department of Defense, and other agencies as 
appropriate 


Supporting Findings 

• Existing frameworks do not identify who has ultimate decision-making authority or clearly define 
the roles to be undertaken by SLTT governments and the private sector during a wide-spread, multi¬ 
state catastrophic power outage that will require coordinated cross-sector, cross-government 
response. 

o While incident command and unified coordination frameworks generally work, if an incident 
goes beyond a confined geographic area these frameworks start to lose effectiveness due to 
the increased size of the impact area, the number and diversity of members in unified 
coordination groups, and the complexity of the response. 

o Owners and operators have limited visibility into how the federal government will manage 
an event of this size, and how the federal government will be working with the private 
sector to make critical resource decisions. 

o Although emergency authorities are understood at a high-level, how they are implemented 
in practice is unclear. There is a better understanding for physical events that are more 
frequently practiced, but it is less clear for cyber-physical events and larger-scale disasters. 

o The Power Outage Incident Annex to the Response and Recovery Federal Interagency 
Operational Plans (POIA) outlines the responsibilities of federal organizations involved in 
response and recovery during a long-term power outage (defined as 72-hours or more). 
However, it is unclear how POIA would be used in practice and what specific federal 
authorities will actually make priority decisions during a catastrophic power outage. * 1 

• The federal government and military organizations have enormous support resources for an event 
of this scale, but an efficient response requires close coordination of those resources and 


1 FEMA, Power Outage Incident Annex, 2017. 
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capabilities with those in the private sector and who is in charge of the response, and there will/may 
be competing needs for those resources and capabilities necessitating tough calls on prioritization. 

• SLTT leaders and owners and operators have the best understanding of the needs of their 
community and can provide valuable information on where to most efficiently apply resources and 
make the most effective allocation decisions with limited available resources. 

Ongoing Initiatives 

• National Response Framework (NRF) Update: FEMA is updating the NRF with a goal to increase the 
emphasis of the role of the private sector and individuals in response; adding an emergency support 
function (ESF) to coordinate government and industry response; and focus on outcomes and 
prioritizing rapid stabilization of lifeline functions. As part of this process, the NIAC recommends: 

o FEMA engage all stakeholders including SLTT governments, NGOs, and private sector 
owners and operators to ensure the new framework is accessible and understood by all 
stakeholders. 

o FEMA consider practical and actionable ways to best leverage industry during the response 
to restore critical lifeline sectors more quickly and efficiently. 

o Exercise the National Cyber Incident Response Plan with the private sector to identify how it 
will work operationally during a real-life scenario and support the NRF. 

• DOE Emergency Authorities: Building on 10 C.F.R § 205, DOE is working with Grid Security 
Emergency (GSE) stakeholders to outline how an emergency order is communicated and building 
exercises to better understand what conditions the federal government may support during a GSE. 2 

o Potential emergency orders and provisions should account for regulatory, cost, and liability 
issues that may speed up the ability to issue and implement orders during a catastrophic 
power outage when timing will be crucial. 

o Establish a role/structure for private sector owners and operators to provide crucial analysis 
to inform the declaration of a grid emergency. 

■ Monitoring and assessment capability must be in place and survivable against 
adversary attack and subversion. 


Recommendation 2 


Develop a federal design basis and the design standards/criteria that identify what 
infrastructure sectors, cities, communities, and rural areas need to reduce the 
impacts and recover from a catastrophic power outage. 

The design basis should take into account the cross-sector implications and cascading service failures of a 
catastrophic power outage. The design basis can guide planning and mitigation efforts, serve as a basis to 
develop appropriate incentives and investments, and provide the framework needed for investments to be 
made over time. 

A. Develop design criteria and/or standards for critical infrastructure hardening, backup 
power, blackstart capabilities, fuel supply requirements, back-up communications requirements 
(including a standardized mobile command center design), food and water considerations, and 
other requirements that communities and businesses can build to. 


2 Administrative Procedures and Sanctions, 10 C.F.R. § 205. 
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B. Expand the National Institute of Standards and Technology (NIST) Community 
Resilience Program to include the catastrophic power outage federal design basis criteria. 

C. Share the DHS National Risk Management Center’s (NRMC) national critical function 
analysis and analytical capability with SLTT governments and owners and operators to help inform 
these decision-makers as they identify state and community-level critical functions that must be 
prioritized for restoration and hardening investments. 

D. Assess the economic and socio-economic impacts of a catastrophic power outage on 

critical infrastructure and the ability of the national economy to withstand and recover from such 
events. The Council of Economic Advisers is well-positioned to conduct this assessment. 

i. The results of this analysis are needed to better understand the financial implications of the 
catastrophic power outage and how the economic risk should be factored into planning and 
recovery. It is also necessary to provide the economic justification for meeting enhanced 
design criteria and preparedness standards. 

ii. The analysis should also examine and identify any barriers to federal financial support 
services for tribal, territorial, and insular governments to ensure these entities have access 
to the resources they need to respond and recover from catastrophic events given the 
economic and geographic limitations some face. 

Lead: Secretary of Homeland Security 

Support: Department of Energy (Primary), National Risk Management Center, National Institute 
of Standards and Technology Community Resilience Program, Council of Economic Advisers, and 
other federal agencies as appropriate 


Supporting Findings 








There are no coordinated, consistent standards or design criteria for increasing resilience to a 
catastrophic power outage that industry and government could work toward over time, 
o Companies and SLTT governments need time and justification to support making 
investments in more resilient infrastructure. A federal design basis could provide the 
guidance for a more coordinated and incremental increase in resilience. 

There is no common agreement on the level of redundancy or resilience that should be built into 
critical utilities—such as energy, water and wastewater, and communications—to lessen the risk 
and impacts of a long-term catastrophic power outage. 

o Without design basis guidance from the federal government, it is difficult for owners and 
operators to justify investments, receive regulatory approval, or even know what standards 
are realistic and sensible to build to because everything cannot be hardened. Sectors will 
also continue to build based on siloed or individual requirements without taking into 
account the larger context of national or other critical functions. 

There is a lack of understanding of the cascading, cross-sector interdependencies between 
infrastructure and what that means for prioritizing backup generation and other limited resources 
to maintain services and functions during a long-term, widespread outage. 

o Hospitals and other mass care providers are often at the top on priority restoration lists, 
however, for example, some of the water and wastewater treatment facilities they rely on 
are not. Without working water or wastewater systems, hospitals are unable to function. 
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There may even be a lack of understanding of which hospitals are the most critical to 
prioritize restoration. 

• There is no common understanding of how long downstream sectors should be prepared to go 
without power, and what other services could be affected by the cascading impacts of a 
catastrophic outage. 

Ongoing Initiatives 

• The NIST Community Resilience Program— part of NIST's broader disaster resilience work—is a 
program designed to 1) develop the technical basis for tools to assess resilience and support 
informed decision-making for communities of all sizes; and 2) conduct outreach to community 
stakeholders to inform the development of NIST community resilience guidance tools for planning 
and implementing resilience measures. 3 

• The NRMC was established to provide a central location for collaborative, sector-specific and cross¬ 
sector management efforts to protect critical infrastructure. Within this, the NRMC will identify 
national critical functions through risk registries and dependency analyses with a focus on lifeline 
functions, and develop a strategic framework to identify critical cyber supply-chain elements across 
critical infrastructure sectors. 4 


Recommendation 3 


Develop guidance and provide resources for states, territories, cities, and localities 
to design community enclaves—areas that co-locate critical services and resources 
to sustain surrounding populaces, maintain health and safety, and allow residents 
to shelter in place. 

Community enclaves are not new mass shelters or camps; rather, they would generally consist of existing 
facilities and their supporting infrastructure, strategically located across communities to prevent mass 
migration or support survival when migration is not possible or residents must return as the outage persists. 

A. Identify the critical lifeline functions that communities need (even in a limited capacity or 
degraded state)—such as communications, electricity, fuel, limited financial services, food, water 
and wastewater, and medical facilities—and for how long (e.g., 30-45 days). 

i. Integrate this guidance into the NIST Community Resilience Program. The guidance must 
include standards such as the number of hospitals, grocery stores, retail providers, gas 
stations, etc., based on population. 

B. Support demonstrations of community enclaves design approaches, which may range 
from traditional hardening of infrastructure to microgrids that combine distributed energy 
resources, energy storage, and innovative consumer technologies. Deliver peer-reviewed results 
and lessons learned from demonstrations to provide utilities and communities with effective 
approaches to design, manage, operate, and fund microgrid and energy resilience capabilities. 


3 NIST, Community Resilience Program. 

4 DHS, DHS National Risk Management Center. 
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C. Develop and support voluntary assessments of critical functions at the SLTT level to 

help identify the existing infrastructure—electricity corridors, drinking water and wastewater, 
natural gas and liquid fuel pipelines, gas stations and fuel distribution sources, grocery stores, 
schools, hospitals, etc.—to create the community enclave. 

i. SLTT governments should use the voluntary assessments to inform emergency 
preparedness planning efforts to prioritize restoration of the infrastructure supporting the 
enclave, and to direct investments to harden this infrastructure as they are able. 

ii. The newly formed NRMC's work to identify national critical functions could serve as a 
starting point and be expanded to conduct these voluntary state and local assessments. 

iii. The voluntary assessments must take into account the different challenges and needs of 
states and communities, including territories and isolated areas, and at-risk or vulnerable 
populations. 

D. Develop and conduct outreach and training for businesses and individuals to build a 
culture of preparedness at the individual and household level. Community enclaves are predicated 
on the idea that the majority of U.S. citizens are prepared and able to safely shelter in place for 
extended time periods. 

Lead: Secretary of Homeland Security 

Support: Federal Emergency Management Agency (Primary), National Protection and Programs 
Directorate (Primary), Department of Energy, and the National Institute of Standards and 
Technology Community Resilience Program 


Supporting Findings 

• Given the growing frequency and severity of disasters and other risks, there needs to be an increase 
in individual accountability, enterprise, and community investment in resilient infrastructure. 

o There is a misconception that events occur infrequently. 

o There needs to be more individual accountability for preparedness. 

• Resilience at the state and local level will be critical to enable people to shelter in place and 
facilitate faster recovery. Any event that requires a mass evacuation will use up critical resources, 
clog transportation pathways, and reduce the workforce necessary for infrastructure recovery. 

• Electricity, fuel, clean drinking water, wastewater services, food/refrigeration, emergency medical 
services, communications capabilities, and some access to financial services have been identified as 
critical lifeline services that would be needed to sustain local communities and prevent mass 
migration. 

• Any efforts at the community level need to include input from SLTT governments, NGOs, critical 
services providers, and community leaders. 

o People default to trusted leaders and institutions (e.g., local government officers, faith- 
based centers, schools, civic organizations) in their community. 

• Rather than building new infrastructure, existing community infrastructure (e.g., a school, a mall, or 
an indoor stadium) could be upgraded using agreed upon resilience standards (i.e., fuel, power, 
communications, etc.), thus creating local resilience centers quicker and at less cost than building 
new ones. 
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o This level of planning and coordination will require a massive, interconnected analysis of the 
interdependencies, state processes, and maximum capacities for fuel storage. 

• Florida Power and Light has established a model for identifying and hardening "community 
circuits"—electric distribution lines and substations that feed power to sites where multiple critical 
lifeline services are provided to communities. This could be expanded beyond electricity to the 
infrastructure needed for fuel resupply, communications, water and wastewater. 

• Reliable fuel supply will be critical for establishing community enclaves and requires a baseline 
understanding of current storage and distribution capabilities. 

o Emergency fuel supply needs, fuel transportation requirements, the availability of backup 
generation, and the mutual interdependency of gas and electricity must be clearly 
understood by all stakeholders. 

o In most cases, in-state fuel resources will not be sufficient to meet the need for a 
catastrophic power outage. 

• NIST community resilience planning guidance and tools are designed to be community driven and 
incorporated into existing efforts. Counties, cities, and communities need to define what resilience 
should look like for them, and the program encourages building resilience into all community 
actions. 

o NIST has also done work identifying building clusters or the buildings that provide crucial 
services of functions within communities. Those communities are then able to develop 
performance goals around those clusters. 

• A key challenge for community enclaves will be the last mile of distribution and resupply of 
resources. To address this, enclaves should take advantage of industry efforts and pre-existing 
capabilities. 

o For example, partnering with companies that have pre-existing robust distribution systems 
and distribution warehouses. 

• People no longer keep enough essentials within their homes, reducing their ability to sustain 
themselves during an extended, prolonged outage. We need to improve individual preparedness. 

o Most preparedness campaigns call for citizens to be prepared for 72 hours in an emergency, 
but the new emerging standard is 14 days. 

o For example, Washington, Oregon, and Hawaii have a standard that individuals have enough 
food and water to support themselves for 14 days. These efforts could serve as a model for 
federal and state preparedness resources, campaigns, and training. 

o The idea of individual preparedness is not a new concept. Civil defense, an older term used 
to elevate a level of individual preparedness and activate communities, used to be more 
widely accepted. 

o FEMA offers a number of tools, resources, and guidance on emergency preparedness, 

including recent efforts focused on better financial preparedness for disasters, and working 
with interagency partners on activity books and courses to educate students on emergency 
preparedness. 

Ongoing Initiatives 

• FEMA's 2018-2022 Strategic Plan: The Strategic Plan is a framework for supporting the United 
States before, during, and after disasters, and has three Strategic Goals aimed at mobilizing a whole 
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community approach to disaster response to build a culture of preparedness, readying the nation 
for catastrophic disasters, and reducing FEMA's complexity. 5 

o Strategic Goal 1: Build a Culture of Preparedness includes objectives to incentivize 

investments that reduce risk, including pre-disaster mitigation; closing the insurance gap; 
helping people prepare for disasters; and better learn from past disasters, improve 
continuously, and innovate. 


Recommendation 4 


Design and support a portfolio of incentives that provide financial support or remove 
financial and regulatory barriers to help companies, nongovernmental organizations, 
and state, local, tribal, and territorial governments implement the recommendations 
included in this report. 

Develop incentives at the federal level and provide guidance to help state and local legislators, regulators, 
and insurers to provide incentives that encourage public and private investment in resilience. 

A. The national design basis provides the criteria needed to justify the actions or 
necessary funding. Federal agencies responsible for implementing the recommendations must 
determine what incentives make sense to drive action, and examine whether they have the 
authority and funding available to do so. 

B. For the power sector: 

i. The Secretary of Energy should seek to identify major incentives that could quickly have 
impact, forming a framework of incentives that can be added to over time, and taking into 
account the different ownership structures in the power sector (e.g., investor-owned 
utilities, cooperatives, public power utilities) and that some may need more direct financial 
support. 

ii. The Federal Energy Regulatory Commission (FERC) should implement cost recovery and 
return on equity incentives for investments in hardening the bulk power system (BPS). 

iii. The Secretary of Energy should work with Congress to provide incentives and technical 
assistance for state public utility commissions to evaluate cost recovery for resilience 
investments or provide cost recovery incentives at the retail or distribution level. 

iv. The Secretary of Energy should work with Congress to provide liability protection and other 
incentives set forth in the recommendations where the government lacks authority. 

C. Incentives that should be considered by agencies include: 

i. Regulatory compliance waivers during events 

ii. Matching funds for state grants or other investments 

iii. Mitigation funding (e.g., grant reform for hardening systems) 

iv. Streamlined permitting for investments or actions included in the report 

v. Tax credits for making investments to meet the federal resilience design basis 


5 FEMA, 2018-2022 Strategic Plan, 2018. 
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vi. Engaging the insurance industry to discuss insurance rate structures that value investments 
in resilience 

vii. Funding for pilot programs to test implementation of new measures at the state level 
Lead: Secretary of Treasury 

Support: Secretaries of the relevant Sector-Specific Agencies (Primary), Federal Energy Regulatory 
Commission, and other federal agencies as appropriate 


Supporting Findings 

• All levels of government need a more comprehensive understanding of federal and state 
investments in order to better target funding to help manage the growing costs of catastrophic 
events. With the increasing severity and frequency of natural disasters, policymakers are looking for 
ways to control costs by investing in mitigation activities—actions that reduce risk to lives and 
property—before a disaster happens. 

• The federal government and states can support the development of consistent resilience design 
standards, understanding that regional and state and local circumstances may warrant different 
levels or kinds of resilience. 

o The NRMC's efforts to prioritize functions that must remain operational during disasters 
could help identify and prioritize the investments needed to sustain those 
services/functions during a catastrophic power outage. 

• Consistent resilience design standards can make it easier for Public Utility Commissions (PUCs) and 
regulators to make rates adjusted for owners and operators by providing them with the guidance 
necessary to understand what the reasonable risk costs and tradeoffs are to support resilience 
investments. 

• The federal government could support additional incentives or tax breaks to the operators, and/or 
the individual commercial or residential users, to encourage participation in specific resiliency 
projects. Other incentives include: 

o Regulatory compliance waivers during events 

o Provide federal matching funds to state-run programs 

o Provide funding for mitigation ahead of a disaster (e.g., grant reform and supporting the 
DOE's strategic transformer reserve) 

• As we have recommended in previous studies, outcome-based market incentives—focused on the 
desired end-state rather than meeting minimum standards—can encourage large-scale 
infrastructure upgrades, directing company resources toward exceptional resilience improvements 
rather than demonstrated compliance with minimum standards. 

o Outcome-based requirements give companies the flexibility to best achieve or exceed 
objectives, while allowing for variations in company structure, size, and resources. 

• There should be an emphasis on deliberate planning because the expense of recovery can be 
mitigated with intentional investment in infrastructure ($1 spend on mitigation, $6 in savings 6 ). 


6 National Institute of Building Sciences, Natural Hazard Mitigation Saves: 2017 Interim Report, 2017. 
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• In 2017, DOE and the National Association of Regulatory Utility Commissioners (NARUC) released a 
cybersecurity primer for regulatory utility commissions with best practices, access to industry and 
national standards, and other information. 7 

• During a grid emergency or a catastrophic power outage, there needs to be the ability to reduce 
load or ensure certain areas have power. This will be crucial for national security, but will create 
haves and have nots. There needs to be liability protections in place for grid owners and operators 
to do this during an emergency because the Federal Power Act does not provide liability protection. 

o Congress should legislate the expansion of liability protections for grid owners and 
operators. 

• The power grid is a prime target for attack by nation states, and it is not fair for ratepayers to bear 
the full burden for this national security function. 


7 Karen Evans, DOE Modernization: The Office of Cyber security, Energy Security, and Emergency Response, Hearing before the Committee on Energy 
& Commerce, Subcommittee on Energy, 2018. 
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Mitigate Cross-Sector Interdependencies and Cascading Failures 


Identify cascading failures impacting key sectors, especially natural gas supply and communications, to 
ensure their availability to aid power restoration, and identify actions to improve resilience to a 
catastrophic power outage. There is a lack of understanding of the cascading, cross-sector 
interdependencies between infrastructure and what that means for prioritizing backup generation and 
other limited resources to maintain services and functions during a long-term, widespread catastrophic 
power outage. The recommendations in this section are aimed at building a better understanding of how 
different infrastructure interacts with each other, particularly during a failure, to inform the steps needed to 
prepare for a catastrophic power outage. 


Recommendation 5 


Conduct a series of regional catastrophic power outage exercises that identify the 
second- and third-order cascading failures of an outage over time, as backup 
resources and mutual aid agreements are exhausted, and examine cross-sector 
supply chain and cyber risks that could delay re-energizing the grid. 

Include all cross-sector partners, including critical infrastructure owners and operators (e.g., natural gas 
suppliers, water and wastewater, transportation, communications, finance, food and agriculture, public 
health); SLTT government officials; NGOs; and transmission operators and power utilities. Conduct exercises 
in the existing bulk power system regions—as coordinated by Regional Transmission Organizations (RTOs), 
Independent System Operators (ISOs), and North American Electric Reliability Corporation (NERC) Regional 
Reliability Coordinators—to provide a realistic view of how electricity failures would occur, and the cross¬ 
sector and cross-jurisdictional issues that would result. In addition, employ the convening power of the 
federal government to guide and support planning and exercises for all U.S. geographic areas, particularly 
islands and territories. 

A. Use results of the exercises to develop guidance on how RTOs/ISOs and Reliability 
Coordinators should conduct blackstart exercises and response/recovery planning with their 
region's generation plant owners, transmission owners, and fuel providers to ensure the sufficiency 
of blackstart resources and identify risks specific to catastrophic power outages. 

B. Review and build upon lessons learned from GridEx, the National Level Exercise, and 
other relevant exercises, including blackstart drills and DOE's Liberty Eclipse, taking into account 
the need for exercises to simulate the dynamic and compromised circumstances that will be 
experienced during a catastrophic power outage. 

C. Synthesize the analysis on cross-sector failures over the last 10 years from after-action 
reports and other documents to identify and recommend best practices, and to better understand 
how infrastructure failures cascade. 

D. Employ the convening power of the federal government to guide and support 
collaborative cross-sector engagement to improve the shared understanding of cascading 
interdependencies and mitigation paths and processes. This should involve engaging sectors not 
previously involved in exercises. 
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i. Engage cross-sector entities under the Critical Infrastructure Partnership Advisory Council 
(CIPAC) to encourage more collaboration across government and industry in implementing 
the recommendations from these exercises. 

Lead: Secretary of Energy 

Support: Federal Emergency Management Agency (Primary), North American Electric Reliability 
Corporation (Primary), Department of Homeland Security, and Federal Energy Regulatory 
Commission 


Supporting Findings 

• There are a number of existing exercises that consider large-scale power outages, but they have not 
matured to engage all necessary stakeholders, from local and community leaders and cross-sector 
representatives; and are unable to answer exactly who will be making decisions and what actions 
the federal government will take. 

o Centralized tabletop exercises may have challenges with engaging a large number of 
stakeholders, but distributed play aspects could provide greater opportunities to broaden 
participation to state and local governments and other sectors. For example, some states, 
such as Wisconsin and South Carolina, used the distributed play from GridEx as their major 
state disaster planning exercise. 

• RTOs/ISOs and reliability coordinators have existing blackstart plans that are routinely exercised and 
built upon, but there is a desire for the government to be more involved. There is some 
inconsistency in how blackstart plans are exercised with key stakeholders including fuel suppliers 
and state and local government. 

• There is no economic backstop to prop up companies that lose a large percentage of their 
customers during a catastrophic power outage. There is also no nationwide backstop to prop up the 
national economy if the power is out for so long that financial institutions are unable to operate and 
companies cannot access capital. 

• Emergency managers at the state, county, and local levels have existing relationships with owners 
and operators of critical infrastructure in their jurisdictions, and should be empowered and 
supported to take on more responsibility during a catastrophic power outage. 

Ongoing Initiatives 

• Cross-sector dependency models: To understand the impacts of a catastrophic power outage, 
modeling of the critical U.S. infrastructure—electricity, natural gas, and other dependent sectors—is 
needed to identify vulnerabilities and define solutions paths. Current efforts include: 

o DOE is working with its partners to develop a North American Resiliency Model. 

o The Electric Infrastructure Security (EIS) Council is working on a Global Infrastructure 
Network Optimization Model (GINOM). 

• Tri-Sector Executive Working Group: The NIAC had previously recommended the formation of a 
strategic infrastructure group—made up of senior executives from the Electricity, Financial Services, 
and Communications Sectors who can direct priorities and marshal resources. The Tri-Sector 
Executive Working Group is being chartered under the Critical Infrastructure Partnership Advisory 
Council (CIPAC). The newly formed NRMC intends to work closely with the group for sustained 
cross-sector engagement. 
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Recommendation 6 


Ensure that all critical natural gas transmission pipeline infrastructure has the 
appropriate standards, design, and practices to continue service during a 
catastrophic power outage and maintain rapid availability to support blackstart 
generation. 

Establish programs—working with the pipeline, electric power, and communications industries—to ensure 
secure pipeline operations and resilience by examining overall interconnectedness and mutual 
interdependencies. 

A. These programs may include voluntary, industry-led efforts, mandatory standards, or a 
combination of these approaches. It may require using existing legal authorities or, after 
consultation with industry, developing new legal authorities. 

B. Establish guidance that encourages generation and transmission owners and operators 
to conduct blackstart exercises with their natural gas providers to identify and plan for 
scenarios where fuel supply issues may impede blackstart capabilities and delay re-generation of the 
grid. 

Lead: Secretary of Energy 

Support: Department of Transportation (Primary), Transportation Security Administration, North 
American Electric Reliability Corporation, Federal Energy Regulatory Commission 


Supporting Findings 








The electric system has a growing dependence on the natural gas pipeline system to assure 
operation, resilience, and recovery from outages. 

o The Electricity Subsector is becoming more reliant upon natural gas as a fuel source; from 
2002 to 2016, the share of electricity generated by gas-fired units increased from 18 percent 
to about 34 percent while the share generated by coal fell from about 50 percent to about 
30 percent. 8 

The construction of natural gas pipelines is driven by the market and demand. Pipelines are built to 
meet firm capacity, when there is a willingness and ability of customers (i.e., shippers) to financially 
commit to the gas that would be provided. 

o Limited pipeline capacity in a particular region can be attributed to factors such as 
environmental regulations hindering construction and/or residents who do not want 
pipelines in their communities. Also, there may be a general lack of incentive(s) among the 
generator community to contract for firm service. 

There are modest steps being taken to address pipeline security, including recently updated and 
expanded Transportation Security Administration (TSA) voluntary guidelines, but these steps need 
to be expanded. 


DOE, Staff Report to the Secretary on Electricity Markets and Reliability, 2017. 
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o The NERC has offered a set of recommendations on opportunities for gas-electric 

coordination, many of which might be supported by data to facilitate broader assessments 
of fuel resilience and collaborative mitigation measures. 

Ongoing Initiatives 

• Pipeline Cybersecurity Initiative: The CISA Director, TSA Administrator, and CESER Assistant 
Secretary met in October 2018 to identify ways to collaborate with industry partners to enhance 
and improve pipeline cyber and physical security. 


Recommendation 7 


Develop or support a flexible, adaptable emergency communications system that 
all sectors can interoperably use, that is self-powered, and is reasonably protected 
against all hazards to support critical service restoration and connect 
infrastructure owners and operators, emergency responders, and government 
leaders. 

A. A portfolio of communications capabilities must be put in place to ensure that the 
private sector, federal and SLTT governments, and others are able to communicate despite the 
cause of an outage. 

i. Draw on DOD capabilities and technical expertise on survivable communications during a 
disaster. 

Lead: Secretary of Homeland Security 

Support: Department of Defense (Primary), Department of Energy, Federal Communications 

Commission 


Supporting Findings 

• Restoration and recovery are next to impossible without working communications systems. Existing 
plans and exercises rely on the ability to coordinate response via voice or data communications 
systems, which are likely to be unavailable or degraded during a catastrophic power outage. 

o Most companies have internal emergency communications and/or plans for restoration in a 
degraded state or blackstart. However, cross-sector coordination and support requires 
broader telecommunications and hardening. 

• Backup power generation is a commonly accepted emergency response standard, but backup (i.e., 
diverse or redundant) communication capabilities are generally not standard. 

• The electric industry has been examining historical methods to enhance resilience. Use of amateur 
or single-sideband radios for communications and manual management electric grid operations by 
frequency are being trialed. 

• Communications systems, including information technology (IT), need to be robust and capable of 
operating even in a degraded state to provide situational awareness and allow for coordination and 
information-sharing among federal government authorities, SLTT government, owners and 
operators, and communities. 

o Emergency communications must have backup power and be deployable to all 
infrastructure and critical supply chains. 
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• Backup communication devices are available—such as satellite phones—but they are typically 
limited in number and are often not maintained or protected from all hazards. People also may not 
know how to use them or have the correct numbers for the people they need to reach. The 
bandwidth capacity and number of devices for these backup communications, like satellite phones, 
is not adequate to fully support the coordination of recovery and restoration efforts during an event 
of this scale. 

o All communications systems are vulnerable to damage or attack, necessitating a variety of 
possible communication methods. To have resilient communications requires being 
prepared for multiple potential outcomes. 

o There needs to be a prioritized method for communications in a degraded state when 
communication goes out across multiple sectors. 

• The level of network assuredness anticipated to meet these needs can be provided in whole, or in 
part, by commercial communication providers. A number of federal departments and agencies have 
already addressed their own need for high-assurance communications to support their essential 
missions. 

• DHS has previously contracted comparable networks for use by critical entities to use under similar 
circumstances (e.g., the Critical Infrastructure Warning Information Network (CWIN)). The 
approaches used by these agencies, as well as DHS's past experience, may provide a template to 
expedite developing the requirements for implementing network capabilities resistant to a wide 
range of catastrophic scenarios. 

• Survivable communications are the lynchpin for responding to this type of event and restoring 
electricity (e.g., ability for power companies to communicate with each other and the government). 

o The Pentagon has done a tremendous amount of work on survivable communications that 
can provide the minimum level of functionality needed. 

o Supply chain risk management will also be important to ensuring communications systems 
are survivable and not able to be compromised. 

o FEMA, DOD, and DOE can all provide technical assistance to meet the minimum level of 
requirements needed. 

Ongoing Initiatives 

• The Electricity Subsector Coordinating Council (ESCC) Resilient Communications Working Group 

has identified the need to update, modernize, and move some of the underlying systems out of 
private networks partially because real-time coordination across multiple sectors makes voice and 
data telecommunications critical for operation of the grid. The ESCC has also recommended that 
some form of backup communications capability to restore the grid after a major disaster needs to 
be created. 

o The ESCC has created a policy principle statement supporting emergency communications 
to validate and formalize the current work being done with the Communications Sector. 

• The EIS Council is working on Black Sky Emergency Communications and Coordination System 
(BSX)—an interoperable, secure system that can incorporate a range of communication 
technologies to support grid re-start activities. 9 


9 EIS Council, "Black Sky Emergency Communication & Coordination System: BSX." 
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Moving Forward: A Call to Action 

A catastrophic power outage could paralyze entire regions with grave consequences for national security, 
economic security, and public health and safety. The magnitude of this threat requires the federal 
government to lead in every way possible to: 

• Establish and execute clearly understood authorities 

• Maintain a high-priority mission for catastrophic power outages 

• Provide steadfast guidance and incentives for action 

• Deliver resources, including dollars, expertise, and decision-making capabilities 

To do so requires the federal government serve as convener and lead collaborator for critical infrastructure 
owners and operators and stakeholders across all levels of government. Strong and effective public-private 
collaboration will be crucial. 

Throughout this study we have learned about ongoing initiatives, such as the work the EIS Council has done 
developing materials and playbooks on black sky hazards, the current efforts by FEMA to build individual 
preparedness and incorporate lessons learned into the nation's emergency response plans, and the work of 
CISA to build cross-sector collaboration, along with many other efforts across government and industry. This 
work is important and is helping to drive action. It should continue to be supported and advanced. 

We believe our recommendations build on this ongoing work and provide a path forward for enhancing the 
nation's capabilities to respond to and recover from these never-before-experienced events. 

Given the importance of this issue and the number of ongoing efforts, we ask the NSC—working with the 
lead agencies identified—to provide a status update to the NIAC within nine months of the report's approval 
on how our recommendations are being implemented, progress being made on ongoing initiatives, or any 
significant barriers to implementation. 
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Appendix B: Study Methodology 

The United States has experienced long-term power outages (typically defined as 72 hours or more), such as 
the 2003 Northeast Blackout (more than 50 million customers without power across the Midwest and 
Northeast for up to four days), Hurricane Katrina in 2005 (2.7 million customers without power across four 
states for 2-4 weeks), and Superstorm Sandy in 2012 (more than 8.5 million customers lost power in 20 
states and the District of Columbia for about two weeks). 10 More recently, the devastation in Puerto Rico 
following Hurricanes Irma and Maria gave us a glimpse at how a loss of power can cascade into other 
sectors affecting public health and safety and the economy. 

The nation has steadily improved its ability to prepare for and respond to events that are of relatively short 
duration and extent. Federal and state entities have identified and incorporated lessons learned from each 
of the events listed above. 

This study is not focused on long-term power outages we have experienced. The President's National 
Infrastructure Advisory Council (NIAC) was challenged to move beyond what we as a nation have 
experienced and to imagine what would happen if these events stretched beyond days or weeks to months 
or years, if they affected large swaths of the country, and existing response capabilities were exhausted. 

This appendix outlines how the NIAC approached this tasking. 

Charge to the NIAC 

Given the interconnected nature of critical systems and networks, new broad-scale approaches are needed 
to adequately prepare for, respond to, and recover from catastrophic disasters that can create significant 
power outages with severe cascading impacts to multiple critical sectors. 

On May 21, 2018, the White House through the National Security Council (NSC), tasked the NIAC to build on 
insights gathered during a scoping effort to develop findings and actionable pragmatic recommendations 
that address how the public and private sectors can work together to further enhance and integrate critical 
infrastructure resilience with response and recovery actions to mitigate the risks posed by catastrophic 
power outages. Specifically, the NSC tasked the NIAC with addressing five questions: 

1. What investments, including approaches to increase resilience and reliability, are needed in 
infrastructure systems and supply chains to minimize the duration, extent, and recovery time for 
long-duration, large-scale power outages? What are the roles of the private and public sectors in 
these investments? 

2. What critical factors are required to sustain national security; operations within the banking and 
finance, public health and medical, communications, transportation, and water sectors; and the 
integrity of the national and regional economies during efforts to restore electric power? 

3. What is the Nation's readiness to prioritize and coordinate resource sharing among federal, state, 
and private entities during catastrophic power outages that will mitigate cascading impacts across 
the lifeline functions? 

4. To what extent are regional and national-level vulnerabilities to catastrophic power outages 
understood, given the diversity and complexity of North American electric generation, transmission, 
distribution, and storage configurations and markets? 


10 FEMA, Power Outage Incident Annex, 2017. 
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5. Where does the Power Outage Incident Annex to the Response and Recovery Federal Interagency 
Operational Plans fit within the context of public-private preparedness activities? 

Study Approach 

To complete this task, the NIAC formed a Working Group of 10 NIAC members that: 

• Built on the NIAC Catastrophic Power Outage Scoping Study completed in June 2018. As part of 
the scoping effort, the Council was tasked to identify the gaps and challenges the nation's 
infrastructure would face during a catastrophic outage. A Working Group of six NIAC members: 

o Interviewed 21 senior leaders and subject matter experts from federal and state 
government and industry. 

o Reviewed over 350 resources, including laws, reports, articles, and prior studies, 
o Considered three key pillars to frame the study scope: 

■ The infrastructure investments and system hardening that could minimize outage 
severity. 

■ The critical factors required to sustain public health and safety and the integrity of 
the national and regional economies during power restoration. 

■ The nation's readiness to prioritize and coordinate resource sharing among federal, 
state, and private entities during an outage of unprecedented scale. 

o Identified 8 key areas of inquiry for in-depth examination in the full study. 

• Formed a Study Group of 13 subject matter experts to vet and validate the 8 key areas of inquiry 
from the scoping effort. The Study Group: 

o Conducted interviews of 25 experts from federal and state government, industry, and 
academia. 

o Conducted research and reviewed more than 100 sources to identify capabilities that 
aligned with government and industry needs and existing capabilities. 



• Defined catastrophic power outages to frame interviews, research, and discussions to ensure clarity 
in how these events are different and that the recommendations would be actionable (See 
Appendix C for more detail on this definition). 
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• Leveraged the wealth of existing information and built on the body of extensive work examining 
the nation's readiness to prioritize and coordinate resource sharing among federal, state, and 
private entities during a catastrophic outage. 

• Conducted interviews with 21 senior leaders and experts in government and experts in the private 
sector. (See Appendix A for a list of interviewees and report contributors). 

• Conducted research and reviewed more than 250 different sources, including statutes, reports, 
studies, congressional testimony, articles, and prior NIAC studies. 


30 


K I I A The President's National 
I N l/\V^ Infrastructure Advisory Council 




Catastrophic Power Outage Study 


Appendix C: Definitions to Frame the Study 

There are a number of terms used by federal agencies and in the emergency management space that 
describe severe, long-lasting disasters. The Department of Defense (DOD) uses the term "complex 
catastrophes," 11 the Electric Infrastructure Security (EIS) Council identifies "black sky events," 12 the Federal 
Emergency Management Agency (FEMA) has defined "long-term power outage," 13 and the National 
Response Framework (NRF) describes "catastrophic incidents." 14 

The NIAC is not replacing these definitions, but rather it sought to define the focus of this study so it is clear 
how these events are different; and to provide the framing and context needed to understand and 
implement its recommendations. 

Similarly, the NIAC has defined critical infrastructure resilience in the context of this study based on other 
uses and definitions. This appendix includes the NIAC's definitions of these two terms and key inputs used to 
develop them. 

I. Catastrophic Power Outage Definition 

As part of the scoping effort, the NIAC defined catastrophic power outages as events beyond modern 
experience that exhaust or exceed mutual aid capabilities. The NIAC built on that definition to provide 
additional detail and clarity: 

1. These are likely to be no-notice or limited-notice events, and potentially an act of war that would 
require a military response. These potential events could include: 

a. Sophisticated cyber-physical attack timed with a major natural disaster 

b. Repeated events in a short period of time with significant physical damage 

c. Electromagnetic events, whether natural or manmade, which could result in severe physical 
damage 

2. Long-duration, lasting several weeks to months (at least 2 months, but more likely 6 months or 
more) due to physical destruction to equipment, such as transformers or transmission lines; or the 
severity of the event resulting in limited work force to repair damage, or inability to create or 
transport replacement parts. 

3. Affects a broad area of the nation covering multiple states or regions, impacting between 50 million 
and 75 million people, 15 and threatening the viability of state and regional economies and local 
communities. 

4. Results in severe cascading impacts that force critical sectors—water and wastewater systems, 
communications, transportation, healthcare, financial services—to operate in a degraded state, due 
to back-up generators running out of fuel and fuel resupply hindered by limited transit options or 
being diverted to higher priorities. 

a. Many generators will also breakdown after they are forced to run beyond design limits 
during an event that stretches weeks and months. 

5. Exceeds or exhausts capabilities of existing mutual aid programs and emergency response plans. 


11 DOD, Memorandum: Definition of the Term Complex Catastrophe, 2013. 

12 EIS Council, "Black Sky Hazards." 

13 FEMA, Power Outage Incident Annex, 2017. 

14 FEMA, National Response Framework, 2015. 

15 U.S. Census Bureau. 2017. 
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a. Current emergency response plans and frameworks rely on aid being provided from 
unaffected areas and the ability to identify and communicate needs. This is unlikely to be 
possible during these events. 

b. The electricity sector has an effective mutual aid program, but during an event of this scale 
utilities are unlikely to have surplus supplies or work force, and depending on the severity of 
the event it may be impractical or impossible to bring help in from unaffected areas of the 
nation. 

c. States are also unlikely to be able to assist others given limited resources and expected 
barriers both legal and physical for moving materials and work force. 

A. Inputs for Definition of Catastrophic Power Outage 
The NIAC reviewed how other entities defined similar events and they served as key inputs. It also examined 
scenarios such as those used in exercises, planning, or actual historical events. 

Federal Emergency Management Agency 

FEMA sought to address the challenges to the federal government posed by long-term power outages in its 
2017 Power Outage Incident Annex to the Response and Recovery Federal Interagency Operational Plans 
(POIA) guidance for federal agencies. 16 FEMA defined a long-term power outage as one that: 

• Extends to multiple states and/or FEMA regions and leaves millions of customers without power for 
an extended period; 

• A significant part of the population needs prolonged mass care and emergency assistance; 

• A loss of critical lifeline functions (e.g., energy, water, communications, and transportation) creates 
risk to health, personal safety, national security, and economic viability; 

• Results in significant loss of service or functions in other critical infrastructure sectors; and 

• State, local, tribal, territorial (SLTT), or insular governments need sustained operational coordination 
to respond to the effects. 17 

In the POIA, FEMA identified several events in modern experience that fit its definition, including the 2003 
Northeast Blackout, Flurricane Katrina, and Superstorm Sandy. 

Electric Infrastructure Security Council 

The EIS Council defines black sky events as a catastrophic event that severely disrupts the normal 
functioning of critical infrastructure in multiple regions for long durations. 18 

Department of Defense 

DOD uses the term complex catastrophe, as any natural or man-made incident including cyberspace attack, 
power grid failure, and terrorism, which results in cascading failures of multiple interdependencies, critical, 
life-sustaining infrastructure population, environment, economy, public health, national morale, response 
efforts, and/or government functions. 19 


16 FEMA, Power Outage Incident Annex, 2017. 

17 Ibid. 

18 EIS Council, "Black Sky Hazard." 

19 DOD, "Department of Defense Dictionary of Military and Associated Terms," 2010. 
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National Response Framework 

The NRF has defined a catastrophic incident "as any natural or manmade incident, including terrorism, that 
results in extraordinary levels of mass casualties, damage, or disruption severely affecting the population, 
infrastructure, environment, economy, national morale, or government functions." 20 

II. Critical Infrastructure Resilience Definition 

Resilience is a commonly used term it is important to be clear about it means in this context. The Working 
Group built on definitions from prior NIAC studies, Presidential Policy Directive-21, and the Executive Office 
of the President. 

For this study, critical infrastructure resilience is defined as the: 

• Ability to prepare for and adapt to changing conditions, and reduce the magnitude and/or duration 
of disruptive events by: 

a. Building robust systems through design, redundancy, and hardening so that the systems are 
able to operate even in a degraded state; and 

b. Embedding agility and adaptability into infrastructure systems and cyber systems creating 
the ability to respond and recover through preparedness and contingency planning, 
training, technology, supply chain management and diversity, and improved information 
sharing and situational awareness to prioritize critical assets and functions. 21 

A. Inputs for Definition of Critical Infrastructure Resilience 

The following sources and definitions were referenced to develop the definition of critical infrastructure 
resilience for this study. 

National Infrastructure Advisory Council 

"Infrastructure resilience is the ability to reduce the magnitude and/or duration of disruptive events. The 
effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt 
to, and/or rapidly recover from a potentially disruptive event." 22 

• Absorptive capacity: is the ability of the system to endure a disruption without significant deviation 
from normal operating performance. 

• Adaptive capacity: is the ability of the system to adapt to a shock to normal operating conditions. 
For example, the extra transformers that the U.S. electric power companies keep on store and share 
increases the ability of the grid to adapt quickly to regional power losses. 

• Recoverability: is the ability of the system to recover quickly—and at low cost—from potentially 
disruptive events. 

Critical infrastructure resilience is characterized by three key features: robustness, resourcefulness, and 
rapid recovery. 

Executive Office of the President 

"The EOP (Executive Office of the President) proposed seven principles as critical success factors by which 
the task force could examine the resiliency of the network, including: 


20 FEMA, National Response Framework, 2015. 

21 NIAC, Critical Infrastructure Resilience: Final Report and Recommendations, 2009; NSTAC, Report to the President on Communications Resiliency, 
2011; and The White House, Presidential Policy Directive 21, 2013. 

22 NIAC, Critical Infrastructure Resilience: Final Report and Recommendations, 2009. 
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• Redundancy (multiplicity, spares) 

• Diversity (multiple approaches and suppliers) 

• Agility (ability to shift) 

• Adaptability (ability to adjust) 

• Prioritization (dedicated or shared resource) 

• Geography (diversity, proximity) 

• Hardening (ability to withstand direct force)." 23 

Presidential Policy Directive 21—Critical Infrastructure Security and Resilience 
"The term resilience means the ability to prepare for and adapt to changing conditions and withstand and 
recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate 
attacks, accidents, or naturally occurring threats or incidents." 24 


23 NSTAC, Report to the President on Communications Resiliency, 2011. 

24 The White House, Presidential Policy Directive 21, 2013. 
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Appendix D: Government Authorities, Processes, and 
Roles 

In the United States, the role of the federal government in disaster response is to "supplement the efforts 
and available resources of states and local governments, and disaster relief organizations in alleviating 
damage, loss, hardship, or suffering." 25 This "bottoms-up" approach is a tried and true mechanism. The 
federal government is the only level of government with the authority and capability to cope with 
widespread events, because most catastrophic impacts span multiple states and municipalities. 26 

The Federal Emergency Management Agency (FEMA) noted in its 2017 Hurricane Season After-Action Report 
that "no jurisdiction or federal agency has all the staff and resources it will need to respond to a 
catastrophic incident." 27 And in its 2018-2022 Strategic Plan, FEMA states that the agency "does not and 
cannot serve as the sole or primary responder." 28 The Agency's practice is that emergency management 
strategies are most effective when they are "federally supported, state managed, and locally executed." 29 

However, the concern is that when a catastrophic power outage or other complex disaster occurs, it has the 
potential to immediately overwhelm state and local capabilities. In this scenario, there is not an equivalent 
"top-down" approach or process where the federal government acts as the initial and primary source of aid 
that is understood and accepted by all parties. 

This appendix provides an overview of existing federal authorities and processes during a disaster and how 
these interact with state, local, tribal, and territorial (SLTT) government and community roles. It also 
includes an overview of the roles of federal agencies, state and local government, and industry during 
emergencies. 

I. Federal Authorities and Processes 

Federal response to an event is guided by several frameworks and documents under the National 
Preparedness System (NPS) building off the National Preparedness Goal to establish "a secure and resilient 
nation with the capabilities required across the whole community to prevent, protect against, mitigate, 
respond to, and recover from the threats and hazards that pose the greatest risk." 30 

A. National Preparedness System 

The NPS was established under Presidential Policy Directive 8: National Preparedness (PPD-8), issued by 
President Obama in 2011. 31 NPS is designed to help "ensure the Nation's ability to prevent, respond to, 
recover from, and mitigate against natural disasters, acts of terrorism, and other man-made disasters." 32 
NPS includes a National Planning Framework for each of five mission areas—prevention, protection, 


25 Robert T. Stafford Disaster Relief and Emergency Assistance Act, Pub. L. 93-288. 

26 Amy Lui, “Feds, States, Cities - The All of the Above Disaster Response," Brookings, November 2, 2012. 

27 FEMA, 2017 Hurricane Season FEMA After-Action Report, 2018. 

28 FEMA, 2018-2022 Strategic Plan, 2018. 

29 Ibid. 

30 DHS, National Preparedness Goal, 2015. 

31 DHS, "Presidential Policy Directive 8: National Preparedness," March 30, 2011. 

32 6 U.S. Code §§743-744. 
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mitigation, response, and recovery 33 —as well as Federal Interagency Operational Plans (FIOPs) and guidance 
for SLTT governments for coordinating national preparedness efforts. 34 

The graphic below provides a high-level view of the NPS and its five frameworks and supporting plans. 
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Under the NPS, the National Response Framework (NRF) is the principal interagency response coordination 
structure for declared Stafford Act events and non-Stafford Act events 35 —presidentially declared events 
that initiate federal disaster assistance—providing guidance for immediate response to a disaster. 36 The NRF 
outlines how the United States responds to disasters and emergencies of all sizes, 37 indicates how federal 
agencies should interact with SLTT governments and the private sector, and specifies when federal 
authorities assume control of national response. 38 


The NRF establishes different Emergency Support Functions (ESFs) to organize the response capabilities of 
the federal government, 39 by grouping federal agencies with relevant authorities, resources, and expertise, 
with an established coordinator, primary agency or agencies, and support agency relevant to the ESF. 40 ESFs 
are applied through the National Response Coordination Center (NRCC)—a multiagency center that 
coordinates the overall federal support for major incidents and emergencies. 41 


33 Statement of Robert J. Fenton, Pacific Northwest Seismic Hazards: Planning and Preparing for the Next Disaster, Hearing before the House 
Committee on Transportation and Infrastructure, May 19, 2015. 

34 DHS, Section 2(e): Assessment of Electricity Disruption Incident Response Capabilities, 2018. 

35 DHS, National Response Framework, 2008. 

36 Jared T. Brown, et al., Congressional Primer on Responding to Major Disasters and Emergencies, Congressional Research Service, 2017. 

37 DHS, National Response Framework, Second Edition, May 2013. 

38 Richard Weitz, "Federalism and Domestic Disasters: Promoting a Balanced Approach," Hudson Institute, 2006. 

39 DHS, National Response Framework, Third Edition, June 2016. 

“Jared T. Brown, et al., Congressional Primer on Responding to Major Disasters and Emergencies, Congressional Research Service, 2017. 

41 FEMA, "Fact Sheet: National Response Coordination Center," July 2015. 
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The National Disaster Recovery Framework (NDRF) 
is a companion to the NRF and outlines the 
strategy and doctrine for how a whole community 
builds, sustains, and coordinates recovery. The 
NDRF provides recovery principles, roles and 
responsibilities at the respective levels of 
government, and a structure and process to assist 
short-and long-term recovery following a disaster 
event. 42 

The most successful and impactful response 
following an emergency is local, but local 
governments and community-level organizations 
are often not actively engaged in disaster response 
planning. This creates a disconnect between the 
federal government and local 
governments/communities. 43 

FEMA is in the process of updating the NRF 44 to 
emphasize stabilization of community lifelines and coordination across critical infrastructure sectors. 45 
FEMA has identified seven community lifelines that provide indispensable services to enable the continuous 
operation of critical business and government functions, and are critical to health, safety or economic 
security. 46 These lifelines include: safety and security; food, water, and shelter; health and medical; energy; 
communications; transportation; and hazardous waste. 

The intention is that communities would identify what stabilization in each of these lifelines means for their 
community, and use those stabilization targets in outcome-based planning. The NRF update is expected to 
put an increased emphasis on the capabilities of the private sector, individuals, and volunteer and 
nongovernmental organizations (NGOs) with potential public review and comment in early 2019. 

The NRF update will also include the creation of a new ESF #14 focused on cross-sector coordination. ESF 
#14 will serve as a way to bring in industry to help prioritize response. ESF #14 will be used by the federal 
government for building, sustaining, and delivering response capabilities, including those necessary for 
sustaining and restoring critical infrastructure. 47 "[This] would cement in doctrine and practice the public- 
private sector partnership that is essential to stabilization and unity of effort, and bring new capacity to 
whole community response efforts." 48 

B. National Incident Management System 

The 2003 Homeland Security Policy Directive 5 (HSPD-5), 49 called on the Secretary of Homeland Security to 
develop a national incident management system to provide a consistent nationwide approach for federal 


The National Cyber Incident Response Plan 

The National Cyber Incident Response Plan (NCIRP) is 
the Cyber Annex to the FIOP that built upon the 
National Planning Frameworks and the NPS. The NCIRP 
was developed to articulate the roles and 
responsibilities, capabilities, and coordinating structures 
that support how the United States responds to and 
recovers from significant cyber incidents posing risks to 
critical infrastructure. It is the primary framework for a 
national approach to dealing with cyber incidents, 
addressing the important role that the private sector 
and state and local governments, and multiple federal 
agencies play in responding to incidents and how the 
actions of all fit together for an integrated response. 

The last iteration of the NCIRP was in 2016. 

Source: NCIRP, 2016 


42 DHS, National Disaster Recovery Framework, Second Edition, June 2016. 

43 EIS Council, Electric Infrastructure Protection (E-PRO) Handbook III Cross-Sector Coordination and Communications in Black Sky Events, 2018. 

44 DHS, National Response Framework, 2008. 

45 FEMA, 2017 Hurricane Season FEMA After-Action Report, 2018. 

46 FEMA, "National Response Framework Update: Overview Briefing," October 24, 2018. 

47 EIS Council, Electric Infrastructure Protection (E-PRO) Handbook III Cross-Sector Coordination and Communications in Black Sky Events, 2018. 

48 FEMA, 2017 Hurricane Season FEMA After-Action Report, 2018. 

49 DHS, Homeland Security Presidential Directive 5, 2003. 
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and SLTT governments to work together to prepare for, prevent, respond to, and recover from domestic 
incidents, regardless of cause, size or complexity. 50 In 2004, the Department of Homeland Security (DHS) 
issued the National Incident Management System (NIMS) as a companion to the NRF, which incorporates 
the capabilities and resources of various governmental jurisdictions, incident management and emergency 
response disciplines, non-governmental organizations, and the private-sector into a cohesive, coordinated, 
and seamless national framework for domestic incident response. 51 

C. Stafford Act 

Within the NPS frameworks, the Robert T. Stafford Disaster Relief and Emergency Assistance Act, better 
known as the Stafford Act, provides the legal and statutory authority governing federal response to events 
in the United States. 52 The Act provides the system currently used for requesting and obtaining a 
presidential emergency or major disaster declaration, determining the conditions for obtaining assistance, 
and defining the type and scope of assistance available from the federal government. 53 An emergency is any 
occasion or instance in which federal assistance not exceeding $5 million is needed to supplement state and 
local efforts and capabilities. 54 A major disaster is generally larger, and any natural event causing damage of 
such severity that it is beyond the combined capabilities of state and local governments to respond. 55 

Federal response under the Stafford Act is generally the same for territories and federally recognized tribal 
nations, though there may be unique differences. The federal government maintains a moral and legal trust 
responsibility toward tribal governments, which includes as obligation to protect tribal treaty rights, lands, 
assets, and resources, as well as a duty to carry out the mandates of tribal law. 56 This means that "any 
federal agency with a role in emergency preparedness and response, such as [FEMA], is obligated to provide 
consultation opportunities to tribes in addition to the other services and resources available at the 
agency." 57 Similar to states, tribal governments are responsible for coordinating resources to address actual 
or potential incidents. 58 In 2013, the Sandy Recovery Improvement Act amended the Stafford Act to include 
a provision to provide federally recognized tribal governments the option to request a Presidential 
emergency or major disaster declaration independent of a state, cutting down on response time. 59 

The same approach and process applies to territories. However, due to their remote locations, territories 
often face unique challenges in receiving assistance from outside the jurisdiction quickly and often request 
assistance from neighboring islands, other nearby countries, states, the private sector or NGO resources, or 
the federal government. Federal assistance is delivered in accordance with pertinent federal authorities." 60 

The graphic below provides a high-level overview of the multi-step process for receiving a federal 
emergency and major disaster declaration under the Stafford Act. 


50 The White House, "Homeland Security Presidential Directive/HSPD-5/' 2003 . 

51 FEMA, "NIMS Frequently Asked Questions," 2017. 

52 Robert T. Stafford Disaster Relief and Emergency Assistance Act, Public Law 93-288 as Amended. 42 U.S. Code § 5121 et seq. 

53 FEMA, A guide to the Disaster Declaration Process and Federal Disaster Assistance. 

54 42 U.S.C. 5122. 

55 42 U.S.C. § 5122. 

56 Cohen's Handbook of Federal Indian Law § 5.04[3]; Seminole Nation v. U.S., 316 U.S. 286, 296-97 (1942); U.S. v. Jicarilla Apache Nation, 131 S. Ct. 
2313, 2324-25 (2011). 

57 The White House, Memorandum on Government-to-Government Relations With Native American Tribal Governments, Apr. 29, 1994; Aila Hoss, 
"Tribal Consultation: Selected Resources," CDC, 2016. 

58 FEMA, "IS-0230.d - Fundamentals of Emergency Management. Lesson 1: Emergency Management Overview." 

59 Robert T. Stafford Disaster Relief and Emergency Assistance Act, Public Law 93-288 as Amended. 42 U.S.C. 5121 et seq.; Disaster Declaration 
Improvement Act, Report 115-99. 

60 FEMA, "IS-0230.d - Fundamentals of Emergency Management. Lesson 1: Emergency Management Overview." 
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Stafford Declaration Process 





■|»N EVENT REQUIRES STATE OR 
^=5^ TRIBAL EMERGENCY RESPONSE 

The governor, local government, or tribal leader of 
an affected area responds to an event, executing 
the state or tribal emergency response plan. 


n JOINT PRELIMINARY DAMAGE 
>-< ASSESSMENT (PDA) 

Federal, state, and/or tribal officials conduct a joint H 
PDA to determine the disaster's extent, impact, and i 
the typc(s) of federal assistance that may be needed, m. 


■ REQUEST FORA PRESIDENTIAL 
DECLARATION 

A written request for a presidential declaration by a 
governor, local, or tribal leader is submitted to the 
affected area’s FEMA Regional Administrator or 
Emergency Preparedness and Response (EPR) office. 


PRE-DISASTER EMERGENCY 
RESPONSE 

If it is apparent that a presidential 
declaration may be necessary prior 
to an event, the governor or tribal 
leader of the affected area may 
request an emergency declaration in 
advance. A major disaster declaration 
can only be made after an event. 


MAJOR DISASTER 
DECLARATION FOR A SEVERE 
OR CATASTROPHIC EVENT 

If an event is severe and catastrophic 
and assessment is unnecessary, a 
request for a major disaster 
declaration can occur before the 
PDA is complete.This is not 
applicable for emergency declarations. 
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SMS AND DECLARATION 

The President evaluates the request and upon 
determination that Stafford Act assistance is 
warranted, declares an emergency or major disaster 
and appoints a Federal Coordinating Officer (FCO) 
to execute Stafford Act programs. 


»>: 
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EMERGENCY 
DECLARATION 

Any occasion or instance 
in which federal assistance 
not exceeding $5 million is 
needed to supplement 
state and local efforts and 
capabilities. 



MAJOR 

DISASTER 

DECLARATION 

Any natural event that has 
caused damage of such 
severity that it is beyond the 
combined capabilities of 
state and local governments 
to respond. 
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D. Federal Financial Disaster Relief Assistance, Waivers, and Mitigation Funding 

A complex spending relationship underlies federal disaster assistance in the United States. 61 Federal 
financial assistance is generally only available after a Stafford Act declaration and after an event has 
occurred. Under the Disaster Relief Fund (DRF)—the primary funding source for Stafford Act declared 
disaster response and recovery 62 —there are three principal forms of federal financial assistance available 
through FEMA. 63 Through these forms of assistance, FEMA can fund authorized federal disaster support 
activities as well as eligible SLTT actions. 64 

No single government source provides comprehensive information about state spending. 65 A Government 
Accountability Office (GAO) study found that because the federal government and states do not know how 
much they spend on mitigation in total, they lack the information to accurately compare proactive 
investments with post-disaster response and recovery expenditures. The larger the natural disaster, the 
more likely all levels of government participate and spend significant amounts of money. 66 But all levels of 
government need a more comprehensive understanding of federal and state investments to better target 
funding to help manage the growing costs of catastrophic events. With the increasing severity and 
frequency of natural disasters, policymakers are looking for ways to control costs by investing in mitigation 
activities—actions that reduce risk to lives and property—before a disaster happens. 67 

In April 2018, the U.S. House of Representatives passed components of the Disaster Recovery Reform Act 
(DRRA) as part of the Federal Aviation Administration (FAA) Reauthorization Act of 2018. 68 The DRRA would 
provide funding for hazard mitigation programs, as well as introduce new reforms to programs, which 
include: 69 


• Amend the Stafford Act to establish increased and fixed reimbursement rates to state and local 
governments for direct and indirect administrative costs associated with disaster recovery efforts. 
This includes no more than 15 percent for hazard mitigation and 12 percent for essential assistance, 
repair, restoration, replacement debris removal, and transportation assistance. 70 

• Allow states the option to administer FEMA funding for direct temporary housing and permanent 
housing construction after a disaster. FEMA must fund 100 percent of the direct temporary housing 
costs. 

• Establish the National Public Infrastructure Pre-Disaster Mitigation Assistance Program, which would 
commit certain funding from the DRF to pre-disaster mitigation efforts. It would allocate 6 percent 
of the combined obligations estimated following a major disaster to mitigation assistance. 

• Require the FEMA administrator to develop a plan to streamline information collection processes 
for grant applications and make the process less burdensome and time consuming. 


61 Foundation Center and the Center for Disaster Philanthropy, "Measuring the State of Disaster Philanthropy 2017." 

62 Robert T. Stafford Disaster Relief and Emergency Assistance Act, Pub. L. 93-288, as amended, 42 U.S. Code § 5121 et seq. 

63 The Public Assistance program is authorized by Sections 403(a)(3)(A), 406, 407, 428, and 502(a)(5) of the Stafford Act; Jared T. Brown and Daniel J. 
Richardson, FEMA's Public Assistance Grant Program: Background and Considerations for Congress, 2015; Bruce R. Lindsay, The SBA Disaster Loan 
Program: Overview and Possible Issues for Congress, 2015; FEMA, "The Hazard Mitigation Assistance Grant Programs," 2015. 

64 Statement by Craig Fugate, The Federal Role in Disaster Recovery and Response, Hearing before the Committee on Appropriations' Subcommittee 
on Homeland Security, October 12, 2011. 

65 GAO, "Budgeting for Disasters: Approaches to Budgeting for Disasters in Selected States," 2015; National Association of State Budget Officers, 
"Budget Processes in the States," 2015. 

66 UNISDR, "What Is Disaster Risk Reduction?" 

67 Pew Charitable Trusts, "Natural Disaster Mitigation Spending is not Comprehensively Tracked," September 2018. 

68 FAA Reauthorization Act of 2018, H.R. 4, 115 th Cong., 2 nd Session, May 7, 2018. 

69 FEMA, "Pre-Disaster Mitigation Grant Program." 

70 Lucia Bragg, "House Passes Disaster Recovery Reform Act under FAA Reauthorization," April 27, 2018. 
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As the number of declared major disasters and emergencies increase, 71 and the amount of money needed 
for the DRF increases, 72 the federal government bears escalating recovery costs. Insurance reform offers a 
promising way to encourage infrastructure upgrades that could promote resilience innovations and share 
disaster costs between the public and private sector. This is becoming more and more important because 
risk models indicate that the annual likelihood of severe weather causing at least $1 billion in insured losses 
in the U.S. is 92 percent. 73 

Federal financial assistance can also be in the form of waiver. Waiving statutes and regulations identified as 
impeding response and recovery efforts can help communities and companies make decisions without the 
threat of reprisal for noncompliance. For example, after Hurricane Maria hit Puerto Rico in 2017, the 
Environmental Protection Agency (EPA) granted a blanket waiver from ultra-low sulfur diesel requirements 
so that the territory could use power generators that use fuel with high sulfur content. 74 

II. Federal Agency Roles 

As mentioned in the prior sections, various frameworks, authorities, and supporting documents outline how 
the federal government responds. Federal agencies also have roles in disaster response and recovery, most 
notably three agencies with a defined lead role in emergency preparedness and response or critical 
infrastructure protection. This section will provide an overview of the roles DHS, the Department of Energy 
(DOE), and DOD each play before, during, and after an event, and the role Federal Energy Regulatory 
Commission (FERC) the federal agency that regulates the transmission and wholesale sale of electricity and 
natural gas. 

A. Department of Homeland Security 

At its core, DHS secures the nation against evolving threats to safety and security through continuous risk 
assessments and adaptive strategies to effectively address them. 75 Within this, DHS has five missions that 
include preventing terrorism and enhancing security; managing the country's borders; administering 
immigration laws; securing cyberspace; and providing the coordinated, comprehensive federal response in 
the event of a terrorist attack, natural disaster or other large-scale emergency. 76 When events such as 
natural disasters do occur and the federal government needs to provide assistance, DHS is the primary 
agency for coordinating federal assistance. This section highlights three key components under DHS: FEMA, 
the Cybersecurity and Infrastructure Security Agency (CISA), and the newly formed National Risk 
Management Center (NRMC). 

Federal Emergency Management Agency 

Within DHS, FEMA is the federal agency that coordinates the federal government's role in preparing for, 
preventing, mitigating the effects of, responding to, and recovering from all domestic disasters, whether 
natural or manmade, including acts of terror. 77 FEMA relies on the NRF and NDRF frameworks, which 


71 FEMA, "Incidents by Year." 

72 Bruce R. Lindsay, FEMA's Disaster Relief Fund: Overview and Selected Issues. Congressional Research Service, May 7, 2014. 

73 Executive Office of the President of the United States, Standards and Finance to Support Community Resilience, 2016; Carolyn Kousky, et al., Does 
Federal Disaster Assistance Crowd Out Private Demand for Insurance? 2013. 

74 Subramanian, R., et al., "Air Quality in Puerto Rico in the Aftermath of Hurricane Maria: A Case Study on the Use of Lower Cost Air Quality 
Monitors," ACS Earth and Space Chemistry, 2018. 

75 DHS, "About DHS." 

76 Ibid. 

77 Statement of Richard Campbell, Blackout! Are we Prepared to Manage the Aftermath of a Cyber-Attack or Other Failure of the Electrical Grid ? 
Hearing before the Committee on Transportation and Infrastructure, Subcommittee on Economic Development, Public Buildings, and Emergency 
Management, House of Representatives, April 11, 2016. 
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identify the subset of agencies best equipped to respond to a particular challenge, as well as the NIMS for a 
cohesive, coordinated incident response. 

FEMA has stated that the biggest lesson learned after the 2017 disasters is that the most effective strategies 
for emergency management are those that are federally supported, state managed, and locally executed. 
FEMA advocates a whole community approach to disaster management that includes individuals, families, 
communities, the private and nonprofit sectors, faith-based organizations, and local, state, tribal, territorial, 
insular areas, and other federal agencies. 78 To that end, FEMA emphasizes that it is not the sole or primary 
responder to an event, therefore its role in emergency management is to coordinate federal resources and 
assistance to supplement SLTT capabilities. 79 In that capacity, FEMA is responsible for building relationships 
with emergency management communities to encourage preparedness activities and mitigation 
investments before an event; manage requests for assistance during one; and coordinate and assign federal 
grant assistance with response and recovery after an event occurs. 80 

2018-2022 Strategic Plan 

FEMA issued the 2018-2022 Strategic Plan as a framework for supporting the United States before, during, 
and after disasters, with three Strategic Goals aimed at mobilizing a whole community approach to disaster 
response to build a culture of preparedness, readying the nation for catastrophic disasters, and reducing 
FEMA's complexity. 81 

• Strategic Goal 1: Build a Culture of Preparedness includes objectives to incentivize investments that 
reduce risk, including pre-disaster mitigation; closing the insurance gap; helping people prepare for 
disasters; and better learn from past disasters, improve continuously, and innovate. 

• Strategic Goal 2: Ready the Nation for Catastrophic Disasters focuses on enhancing the nation's 
collective readiness. This requires a scalable and capable national incident workforce that can adapt 
and deploy to a changing landscape of events, integrate stakeholders at all levels of the public and 
private sectors, and communicate and coordinate effectively in every situation. 

• Strategic Goal 3: Reduce the Complexity of FEMA promotes less complex processes to streamline 
FEMA and drive decision-making to reduce the administrative burdens that impede impacted 
individuals and communities from quickly receiving assistance. 

Power Outage Incident Annex 

In June 2017, FEMA released the Power Outage Incident Annex (POIA) to the Response and Recovery Federal 
Interagency Operational Plans: Managing the Cascading Impacts from a Long-Term Power Outage as 
guidance for federal agencies responsible for providing energy response and recovery support for a long¬ 
term power outage to SLTT, insular areas, NGOs, and the private sector. 82 POIA states that "when a power 
outage is of such significance and scope that it is beyond the ability of utility companies to restore power in 
a timely manner, resulting in [SLTT] or insular area capabilities being insufficient to support the population, 
the federal government provides assistance to jurisdictional response and recovery capabilities." 83 

The POIA is not an electricity restoration plan; it outlines the types of federal support available to critical 
infrastructure stakeholders when a power outage is of such significance and scope that it is beyond the 


78 FEMA, 2018-2022 Strategic Plan, 2018. 

79 Ibid. 

80 Ibid. 

81 Ibid. 


82 FEMA, Power Outage Incident Annex, 2017. 

83 Ibid. 
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ability of utility companies to restore power in a timely manner. 84 It is a springboard, providing a framework 
to address interdependencies. The POIA describes a bifurcated command structure where DOE oversees the 
restoration of the power system (grid) and FEMA leads the federal consequence management effort. 
However, actions in the POIA may be to provide support to local, state, tribal, territorial, and insular area 
governments or other federal agencies to address the ramifications of an incident. 

FEMA is funding each FEMA Region to conduct long-duration power outage planning that will be tested, 
validated, and modified as needed. The goal is to coordinate emergency management and infrastructure 
protection into response and recovery plans so that each sector and/or region knows what their impacts 
may be and what support they might need from the federal government during or after an event. 


FEMA Region V 

FEMA Region V worked with its states (Illinois, Indiana, Michigan, Ohio, and Wisconsin) to review and understand 
their roles and responsibilities during a long-term power outage in conjunction with FEMA's POIA. 

Through the Region's process to develop a POIA to provide supplemental hazard information to their All Flazards 
Plan, a series of workshops were conducted with local, state, and federal government representatives and private 
utilities. These workshops reviewed state energy plans, threat hazard identification and threat assessments, and 
sector interdependencies to understand the current capabilities so FEMA Region V could understand where there 
were needs from local and state partners and public and private utilities. 


Cybersecurity and Infrastructure Security Agency 
Legislation was signed in November 2018 that 
renamed the National Protection and Programs 
Directorate (NPPD) to the Cybersecurity and 
Infrastructure Security Agency (CISA) to better 
reflect the agency's role in both cyber and physical 
infrastructure security and resilience. 85 DHS 
Secretary Nielsen stated that the renaming "would... 
realign [the agency's] structure to reflect the core 
cybersecurity and infrastructure resilience mission it 
exercises." 86 

Similar to the former NPPD's mission, CISA will work 
with public sector, private sector and government 
partners to share information, build greater trust, 
and lead the national effort to protect and enhance 
the resilience of the country's physical and cyber 
infrastructure. 87 CISA partners with government and 
the private sector to protect and secure the people, 
places, spaces, data and networks that make nation 


National Cyber Security Strategy 

In September 2018, the White Flouse released the 
National Cyber Strategy, the first of its kind in 15 years. 

The strategy highlights the growing threat that 
malicious cyber actors pose to U.S. national security and 
identifies cyber priorities structured around the National 
Security Strategy. The new strategy also calls for the 
administration to clarify the roles and responsibilities of 
federal agencies and the expectations of the private 
sector when it comes to cybersecurity risk management 
and incident response. DHS Secretary Nielsen stated the 
Strategy will "guide efforts by DHS to secure federal 
networks, protect critical infrastructure, and combat 
cybercrime." 

Source: National Cyber Security Strategy, The White 
House 


84 FEMA, Power Outage Incident Annex, 2017. 

85 DHS, "Cybersecurity and Infrastructure Security Agency (CISA)," November 19, 2018. 

86 Tim Starks, "Senate could act on top DHS cybersecurity priority," Politico, September 19, 2018. 

87 DHS, "CISA Cyber + Security." 
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run, 88 leading the U.S. government's efforts to secure federal networks and critical infrastructure. 89 The 
agency has also been spearheading the federal government's election security efforts, coordinating with 
state and local election offices on information sharing and cybersecurity best practices. 90 

CISA's National Cybersecurity and Communications Integration Center (NCCIC) provides constant cyber 
situational awareness, defense, analysis, and incident response capabilities to the federal government, SLTT 
governments, and the private sector. 91 CISA also includes the National Infrastructure Coordinating Council 
(NICC), which is the operations center that maintains situational awareness of the nation's critical 
infrastructure for the federal government. The NICC serves as the coordination and information sharing hub 
to support coordination between DHS and owners and operators of critical infrastructure. 92 

National Risk Management Center 

In September 2018, DHS stood up a National Risk Management Center (NRMC) to focus on national strategic 
risks to critical infrastructure and serve as a convener for government and industry to work together, taking 
an all-hazards approach focused on critical functions. 93 One of the NRMC's goals to be a place to coordinate 
on long-term cybersecurity and infrastructure security risk management, serving as the operational layer to 
develop strategic plans and take a unified approach to risks. 94 

Defining national critical functions produced by critical infrastructure that could cause systemic risk will also 
be a major undertaking by the NRMC. Defining these national critical functions can determine and locate 
interdependencies and concentrated dependencies that can determine what needs to be prioritized for 
restoration. 

The NRMC is building on prior NIAC recommendations, which called for an operational task force made up 
of senior executives from government and the Electricity, Financial Services, and Communications Sectors, 
who can direct priorities and marshal resources. 95 As such, the NRMC is in the process of standing up a Tri- 
Sector Working Group made up of senior executives from the three sectors, which will be leveraged as a 
steering group for NRMC. 

Through the Critical Infrastructure Partnership Advisory Council (CIPAC), DHS in partnership with the 
Information Technology Sector Coordinating Council (IT SCC) and Communications Sector Coordinating 
Council (CSCC), has established the Information and Communications Technology (ICT) Supply Chain Risk 
Management Task Force within the NRMC. The Task Force is intended to focus on potential near- and long- 


88 Ibid. 

89 Zaid Shoorbajee, "DHS's top cyber office is about to get a name that reflects its office," CyberScoop, October 4, 2018. 

90 Ibid. 

91 DHS, "What does CISA do?" 

92 DHS, "National Infrastructure Coordinating Council," Last updated August 14, 2018. 

93 DHS, "DHS National Risk Management Center," Fact Sheet, 2018. 

94 Ibid. 

95 NIAC, Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure, 2017. 
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term solutions to manage strategic risks through policy initiatives and opportunities for innovative public- 
private partnership. 96 


Critical Infrastructure Partnership Advisory Council 

DHS established CIPAC to facilitate interaction between governmental entities and representatives from the 
community of critical infrastructure owners and operators. Under CIPAC, members of the Government Coordinating 
Councils (GCCs) and Sector Coordinating Councils (SCCs) to engage in discussions about joint critical infrastructure 
planning, coordination, implementation, and operational issues. 

CIPAC provides the authority and structure for coordinating among government and critical infrastructure owners 
and operators; conducting operational activities related to critical infrastructure security and resilience measures, 
incident response, and recovery; and sharing threat, vulnerability, risk mitigation, business continuity information, 
and best practices along with lessons learned. 

Source: FEMA, CIPAC FAQs 

B. Department of Energy 

DOE is responsible for coordinating the Energy Sector's emergency preparedness requirements—using 
processes and structures unique to the energy sector—as the lead for restoration and sector specific lead 
agency for grid security. 

Emergency Authorities 

Under the Fixing America's Surface Transportation (FAST) Act, 97 a federal law aimed at providing long-term 
funding for surface transportation infrastructure, the Secretary of Energy has "broad and nearly unilateral 
authority over critical electric infrastructure to protect system reliability in emergency situations." 98 Under 
the FAST Act, the Secretary of Energy has the authority, upon the declaration of a grid security emergency 
by the President, to issue emergency orders that—in his or her judgement—are necessary to protect or 
restore the reliability of critical electric infrastructure or defense critical electric infrastructure during the 
grid security emergency. 99 

Office of Cybersecurity, Energy Security, and Emergency Response 

Formally the Office of Electricity (OE), the Office of Cybersecurity, Energy Security, and Emergency Response 
(CESER) works to ensure that the nation's energy delivery system is secure, resilient, and reliable and 
develops new technologies to improve the infrastructure and the federal and state electricity policies and 
programs. 100 Moving forward, CESER will focus on energy infrastructure security, support the expanded 
national security responsibility. 101 CESER will lead DOE's emergency preparedness and coordinated response 
to disruptions to the Energy Sector, including physical and cyber-attacks, natural disasters, and man-made 
events. 102 CESER will also spearhead efforts to secure the U.S. energy infrastructure against all hazards 
and mitigate the risk of energy disruption from cyber incidents and other emerging threats within the 
energy environment. 103 


96 DHS, "ICT Supply Chain Task Force," Press release, August 31, 2018. 

97 Fixing America's Surface Transportation (FAST) Act, Pub. L. 114-94. 

98 Sylvia Bartell, "Transforming the Nation's Electricity System. Part IV: Grid Security," Husch Blackwell, January 16, 2017. 

99 DOE, "Grid Security Emergency Orders: Procedures for Issuance," Federal Register, January 10, 2018. 

100 Hunton Andrews Kurth, "Department of Energy Announces New Efforts in Energy Sector Cybersecurity," May 30, 2018. 

101 DOE, "Secretary of Energy Rick Perry Forms New Office of Cybersecurity, Energy Security, and Emergency Response," February 14, 2018. 

102 DOE, "CESER Mission." 
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C. Federal Energy Regulatory Commission 
FERC is the federal agency that regulates the transmission 
and wholesale sale of electricity and natural gas in 
interstate commerce and regulates the transportation of 
oil by pipeline in interstate commerce. 104 While FERC does 
not have jurisdiction over generation facilities, or facilities 
used for local distribution or transmission in intrastate 
commerce, 105 more than half of electric energy sales are 
subject to FERC's rate jurisdiction. 

While FERC is responsible for ensuring adherence to 
mandatory reliability standards in industry, NERC develops 
those standards with input from the industry, submits 
them to FERC for approval, and then enforces the 
approved standards in the Energy Sector. 106 

FERC has also approved new mandatory reliability 
standards to bolster supply chain risk management 
protections for the nation's bulk electric system. The new 
standards will augment current critical infrastructure 
protection standards to mitigate cybersecurity risks 
associated with the supply chain for grid-related cyber systems. 107 

D. Department of Defense 

DOD is responsible for providing military forces and certain intelligence capabilities to deter war and to 
protect the security and national interests of the United States. As such, the Secretary of Defense may assist 
in the support of domestic infrastructure and essential restoration, or unprecedented events, 108 through the 
mechanisms of the frameworks. 109 

While FEMA is the federal lead for national disaster response activities, DOD plays a supporting but 
important role in the national response system. 110 As stated in the National Defense Strategy, while 
defending the homeland, DOD must also maintain the capacity to support civil authorities in times of 
national emergency such as in the wake of man-made and natural disasters. * * 111 In the event of crises within 
multiple states, or when many military units are deployed on overseas missions, affected regions may 
require assistance from DOD active-duty troops, the U.S. Coast Guard, and other federal assets. 112 


North American Electric Reliability Corporation 

As required by the Federal Power Act, FERC 
designated NERC—a nonprofit international 
regulatory authority responsible for reducing 
risks and ensuring reliability of the grid—as the 
Electric Reliability Organization (ERO)for North 
America. In this role, NERC oversees all 
interconnected power systems in the United 
States, Canada, and portions of Mexico and 
develops mandatory and enforceable reliability 
grid standards subject to FERC's review and 
approval. As a designated ERO, NERC issues 
enforceable guidelines, essentially giving FERC 
the authority to oversee the reliability and 
resiliency of the U.S. grid, because FERC through 
NERC, oversees the bulk power system. 

Source: FERC, FAQs 


104 California Independent System Operator Corporation v. FERC, 372 F.3d 395, 398-99 (D.C. Cir. 2004); Lawrence R. Greenfield, An Overview of the 
Federal Energy Regulatory Commission and Federal Regulation of Public Utilities in the United States, December 2010. 

105 Garry Brown, et al., The Federal Power Act in the 21 st Century: Summary Report of a Discussion Marking the 80th Anniversary of the Enactment of 
FPA Title II, Harvard Law School, September 1, 2015. 

106 NERC, Milestones: NERC Reliability Standards, May 19, 2014. 

107 Pamela Largue, "FERC announces new supply chain risk management standards," Smart Energy International, October 22, 2018. 

108 Jared T. Brown, et al.. Congressional Primer on Responding to Major Disasters and Emergencies, Congressional Research Service, 2017. 

109 DHS, National Response Framework, 2008. 

110 Statement by Robert G. Salesses and Brigadier General Joseph E. Whitlock, Defense of Civil Authorities: A Vital Resource in the Nation's Homeland 
Security Missions, Hearing before the Subcommittee on Emergency Preparedness, Response, and Communications of the Committee on Homeland 
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The military responds under the authority under Title 32 and Title 10 of the U.S. Code, depending on the 
purpose and event. 113 The president also has the authority to order the military to help plan for a disaster 
before it occurs, such as moving airplanes or prepositioning forces. While the president cannot order the 
military to execute or enforce federal law, that is not a blanket prohibition against deploying troops in a civil 
emergency. 114 

DOD has taken steps to improve its preparedness to better prepare the department to support civil 
authorities effectively respond to requests for assistance for power restoration during a catastrophe. 115 The 
DOD complex catastrophe initiative is aimed at making defense support of civil authorities faster and more 
effective in delivering life-saving and life-sustaining requirements, which would enable DOD to bring all of its 
capabilities, from all components, to bear in support of civil authorities. 116 The initiative is also directed 
improvements in the Defense Security Cooperation Agency (DSCA)—an agency that advances U.S. national 
security and foreign policy interests by building the capacity of foreign security forces to respond to shared 
challenges 117 —for regional planning and plans integration, force sourcing, training and exercises, and the 
role of military installations and Defense Agencies in emergency response operations. 118 

U.S. Northern Command 

The U.S. Northern Command (NORTHCOM) was established in 2002 to administer command and control of 
DOD homeland defense efforts and to coordinate defense support of civil authorities. 119 NORTHCOM's area 
of responsibility includes air, land, and sea approaches and encompasses the continental United States, 
Alaska, Canada, Mexico, and the surrounding water out to approximately 500 nautical miles. It also includes 
the Gulf of Mexico, the Straits of Florida, portions of the Caribbean region that include the Bahamas, Puerto 
Rico, and the U.S. Virgin Islands. 120 

NORTHCOM plans, organizes, and executes homeland defense and civil support missions, but has few 
permanently assigned forces. Forces are assigned when necessary to execute missions, as ordered by the 
President or Secretary of Defense. 121 NORTHCOM also plays an important role in disaster response by 
providing unique military capabilities to FEMA in support of state requests for emergency aid. NORTHCOM is 
the DOD synchronizer for all DOD support to FEMA and Defense Support of Civil Authorities (DSCA)—an 
agency that advances U.S. national security and foreign policy interests by building the capacity of foreign 
security forces to respond to shared challenges 122 —which gave them a much more proactive role during the 
2018 hurricane season. 123 

During the 2017 hurricane season, NORTHCOM sent thousands of troops to hurricane-effected areas in 
Texas and Florida, and a DOD medical ship to Puerto Rico after Hurricane Maria struck in support of 


113 Federal Research Division, Library of Congress. Military Support to Civil Authorities: The Role of the Department of Defense in Support of Homeland 
Defense, 2007; Title 10. U.S. Code-Armed Forces, as amended 2011, Vol. Ill §§ 3001 et seq. 

114 Tim Naftali, "Send in the Cavalry: The President's Powers in the Event of Disaster," Slate, October 11, 2005. 

115 EIS Council, "Protection Initiatives. Restoration and Response." 

116 Claudette Roulo, "Defense Has Vital Role in Catastrophe Planning, Office Says," American Forces Press Service, DOD, August 14, 2012. 

117 DSCA, "Mission, Vision, and Values." 

118 Statement by Robert G. Salesses and Brigadier General Joseph E. Whitlock, Defense of Civil Authorities: A Vital Resource in the Nation's Homeland 
Security Missions, Hearing before the Subcommittee on Emergency Preparedness, Response, and Communications of the Committee on Homeland 
Security, House of Representatives, June 10, 2015. 
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FEMA. 124 Through its experience, NORTHCOM has stated there a number of lessons learned from the 
unprecedented season including the need for communication with affected communities and clearly 
defining the response necessary to provide better assistance. 125 NORTHCOM says that an after action report 
is currently being drafted that will be translated into how NORTHCOM responds to future hurricanes 
seasons and disaster response. 

U.S. Indo-Pacific Command 

The U.S. Indo-Pacific Command (INDOPACOM) is a unified combatant command of the U.S. Armed 
Forces responsible for the Indo-Asia-Pacific region. Established in 1947, it is the oldest and largest of the 
unified combatant commands. 126 Its commander, the senior U.S. military officer in the Pacific, is responsible 
for military operations in an area which encompasses more than 100 million square miles roughly 52 
percent of the Earth's surface, stretching from the waters off the west coast of the U.S. to the western 
border of India, and from Antarctica to the North Pole. The 36 nations comprising the Asia-Pacific region are 
home to more half of the world's population, 3,000 different languages, several of the world's largest 
militaries, and five nations allied with the U.S. through mutual defense treaties. 127 

Unlike NORTHCOM, INDOPACOM only has four U.S. jurisdictions within its area: Hawaii, Guam, American 
Samoa, and the Commonwealth of the Northern Mariana Islands (CNMI). When it comes to disaster 
response, any needed INDOPACOM forces are assigned from lead federal agencies such as FEMA to provide 
capabilities that do not exist in the civilian sector. Because four U.S. jurisdictions within its area are islands 
and located at the most almost 6,000 miles away from the U.S. mainland, this creates the potential for 
additional challenges that are not experienced elsewhere. 

In 2018, a memorandum of understanding (MOU) was signed between DOE, DHS, INDOPACOM, and the 
state of Hawaii "to identify a framework for cooperation and partnership to strengthen coordination of 
effort to enhance national and state security." 128 The MOU's goal is to create a cohesive and collaborative 
lens to look at the critical energy infrastructure interdependencies between the civil energy sector and 
identify vulnerabilities ahead of events and collectively develop mitigation approaches addressing those 
vulnerabilities. 

DOD and INDOPACOM are also supporting a new DHS- and Hawaii-lead Defensive Cyber Industry 
Consortium (DCIC); an initiative to bring in stakeholders from lifeline sectors across Hawaii to emphasize 
interconnectedness of critical vulnerabilities and the need for collaboration and sharing information. Still in 
its nascent stages, DCIC was expected to launch in November 2018. 

INDOPACOM, in partnership with Resurgo, LLC (a Honolulu-based DOD contractor), the Hawaiian Electric 
Companies, and the Naval Facilities Engineering Command (NAVFAC), has also launched a Critical Energy 
Infrastructure Defense-In-Depth demonstration. 129 It is aimed at exhibiting to the DOD and commercial 
energy providers a capability to mitigate and recover quickly from online and insider cyber activities 
directed against Supervisory Control and Data Acquisition (SCADA) infrastructure. The intrusion tolerant 
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127 USINDOPACOM, "About USINDOPACOM: Headquarter, Unites States Indo-Pacific Command." 
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focus of the demonstration will show how new technologies employed in a defense-in-depth configuration 
enable a utility grid SCADA system to fight though an attack without disruption of services. 130 

Defense Threat Reduction Agency 

The Defense Threat Reduction Agency (DTRA) is an agency in DOD that is responsible for enabling DOD and 
the federal government to prepare for, prevent, and respond to risks and weapons of mass destruction 
(WMDs) and improvised threats and to ensure nuclear deterrence. 131 Established in 1998, DTRA supports 
efforts to prevent the proliferation and use of WMDs, perform research, and develop tools and capabilities 
in WMD and improvised threat environments. 132 

III. State and Local Government and Industry Roles 

Responsibility for responding to disasters begins at the local level. It is only after SLTT government resources 
have been overwhelmed, and the governor or chief tribal executive of the affected state or a tribal nation 
has requested federal assistance does the federal government provide supplemental assistance. 133 
However, post-disaster recovery is so complex and wide-ranging that solutions do not fit neatly into 
individual programs. 134 

The current top-down approach to response, including the existing frameworks, is complex and difficult for 
local communities to navigate. The complexity of federal programs can hinder the speed and nimbleness of 
local and state response as leaders to spend time trying to figure out which program fits their recovery 
needs and tailoring their response to federal program rules. 135 

Existing frameworks do not identify who has ultimate decision-making authority or clearly define the roles 
to be undertaken by state and local governments and the private sector during a catastrophic power 
outage. Disaster declarations and resource allocations are made at the federal and state level, not the local 
level, which can lead to a disconnect with the specific area affected. Even under the NPS 136 there is a lack of 
clarity on the roles and responsibilities in responding to events. 137 

This section will provide an overview of the existing roles outside the federal government for state and local 
governments and industry during an event. 

Mutual Aid 

Mutual aid agreements or mutual aid programs are arrangements among agencies, organizations, and 
jurisdictions that provide a mechanism to quickly obtain emergency assistance in the form of personnel, 
equipment, materials, and other associated services when a disaster or emergency event has depleted the 
resources of the affected area. 138 Mutual aid programs produce rapid, short-term distribution of emergency 
support prior to, during, and after an event. 139 


130 Kevin Jordan, "Critical Energy Infrastructure Cyber Defense-in-Depth," SERDP, ESTCP. 

131 DTRA, Strategic Plan FY2018-2022, March 2018. 

132 Statement of Shari Durand, Countering Weapons of Mass Destruction Posture, Hearing before the Emerging Threats and Capabilities 
Subcommittee Committee on Armed Services. House of Representatives, March 23, 2017. 

133 Jared T. Brown, et al.. Congressional Primer on Responding to Major Disasters and Emergencies, Congressional Research Service, 2017. 

134 Amy Liu, "Federal Post-Disaster Recovery: A Review of Federal Programs," What Works Collaborative, May 2010. 

135 Amy Liu, "Feds, States, Cities - The All of the Above Disaster Response," Brookings, November 2, 2012. 

136 DHS, National Preparedness System, November 2011. 

137 DHS, Section 2(e): Assessment of Electricity Disruption Incident Response Capabilities, August 9, 2018. 

138 FEMA, "Mutual Aid Agreements and Assistance Agreements," 2018. 

139 Ibid. 
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There are different types of mutual aid agreements, ranging from formal ones adopted into statute between 
states or countries to informal understandings among consortiums outlining how government and private 
resources will provide aid within a specific community. 140 Participation in mutual aid is also a component of 
the NIMS. 141 

Emergency Management Assistance Compact 

The Emergency Management Assistance Compact (EMAC) is a non-federal national interstate mutual aid 
agreement, administered by National Emergency Management Association (NEMA), which facilitates the 
sharing of resources across state lines in times of disaster or emergency. 142 Beginning as a mutual assistance 
compact established by the Southern Governors Association (SGA) in response to Hurricanes Andrew and 
Hugo, 143 it later became law when ratified by Congress in 1995. The compact was renamed EMAC and has 
been adopted by all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. 144 

EMAC has become the United States' state-to-state, predominantly used mutual aid system. 145 EMAC can be 
used instead of, or in conjunction with, the federal disaster response system, to provide timely and cost- 
effective relief to states requesting help from other member states who understand the needs of areas that 
are struggling to preserve life, the economy, and the environment. 146 

Sector Mutual Aid Agreements 

Sector mutual aid agreements and programs were highlighted as effective emergency response tools to 
provide assistance in the form of personnel, equipment, or other materials following a disaster to improve 
response. 

Mutual aid does have its challenges including the complex logistics of arranging basic necessities of food, 
water, and shelter for workers during a disaster when there may be limited access and strained 
infrastructure. And while it is ultimately deemed to be cost-effective, there is a reimbursement 
requirement. In some instances, challenges may arise if an impacted area is difficult to get to, or potential 
crews that would respond have other obligations first due to pre-existing contracts or company structure. 

Energy Sector 

For decades electric utilities and public power authorities have provided assistance to each other following a 
disaster. There are two major mutual assistance programs led by the Edison Electric Institute (EEI) and the 
American Public Power Association (APPA), which work in coordination with the National Rural Electric 
Cooperative Association (NRECA). 147 EEl's mutual aid program enables utilities to increase the size of the 
workforce following an incident by "borrowing" resources from other member utilities. 148 APPA's mutual aid 
assures that personnel and resources from other utilities can support national outage events and receive 
federal reimbursement for expenses incurred during said events. 149 


140 FEMA, "Mutual Aid Agreements and Assistance Agreements." 

141 FEMA, National Incident Management System, "Frequently Asked Questions." 

142 NEMA, EMAC: A History and Analysis of the Evolution of National Mutual Aid Policy and Operations, September 2014. 

143 Ibid. 

144 Ibid. 

145 Ibid. 

146 FEMA, "EMAC Overview for NRF." 

147 EEI, "Understanding the Electric Power Industry's Response and Restoration Process," October 2016; APPA, "Public Power Mutual Aid Playbook," 
September 2014. 

148 EEI, "Understanding the Electric Power Industry's Response and Restoration Process,” October 2016. 

149 APPA, "Public Power Mutual Aid Playbook," September 2014. 
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Within the Energy Sector, the Electricity Subsector Coordinating Council (ESCC)—building on the industries' 
culture of mutual assistance—has also formed the Cyber Mutual Assistance (CMA) Program. 150 The program 
is composed of industry cyber experts who can provide voluntary assistance to other participating entities in 
advance of, or in the event of, a disruption of electric or natural gas service, systems, and/or IT 
infrastructure due to a cyber emergency. 151 

Communications Sector 

The Communications Sector has pre-established internal and external priorities for end-user restoration 
before, during, and after an event that are modified in conjunction with Emergency Support Function (ESF) 
#2 and National Coordinating Center protocols, as needed. In 2016, the Federal Communications 
Commission (FCC) adopted an order supporting a voluntary industry commitment to promote resilient 
wireless communications and situational awareness during disasters. The voluntary commitment was 
through the wireless providers AT&T, Sprint, T-Mobile, U.S. Cellular, and Verizon, together with CTIA, which 
formed a Wireless Network Resiliency Cooperative Framework which sought to enhance coordination and 
communication to better ensure wireless continuity during emergency events. 152 

Water and Wastewater Systems Sector 

In the Water Sector, the Water and Wastewater Agency Response Network (WARN) serves as a network of 
utilities prepared to provide assistance through personnel, equipment, materials and other services to help 
respond and recover from an event. 153 


150 ESCC, "The ESCC's Cyber Mutual Assistance Program," January 2018. 

151 ESCC, "Frequently Asked Questions About Cyber Mutual Assistance," January 2018. 

152 Marsh et al., Final Network Resiliency Commitment Letter, 2016. 

153 EPA, Mutual Aid/Assistance Agreements, 2011. 
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Electric Infrastructure Security (EIS) Council 

Since 2010, the Electricity Infrastructure Security (EIS) Council has brought together senior government, utility, and 
NGO officials from North America, Europe, Israel, and across the world to review the threat of severe disruption of 
vital national infrastructures. EIS Council projects help utilities and their partners develop and implement cost 
effective, consensus-based protection measures by hosting frameworks for sustained coordination, planning and 
best practice development. The Council's Electric Infrastructure Security Summit (EISS) Series has become the 
primary international framework bringing together senior government, utility and NGO officials from around the 
world to review the threat of disruption of vital national infrastructure. 

In 2017, the EIS Council launched EARTH EX, the first iteration of an annual, international, multi- and cross- sector 
exercise designed to build off of, and work with existing large-scale exercises, to address complex catastrophes 
spanning 14 countries, all FEMA regions, 44 states, 500 agencies and corporations, and 16 infrastructure sectors. 
The lessons learned from the exercise (e.g., there exists a global drive and motivation to work together to tackle 
resiliency) are being incorporated into upcoming Black Sky Playbooks and update curricula and exercises EIS 
makes available for government agencies and organizations who want to address black sky event planning. EARTH 
EX 2018 occurred on August 22, 2018. 

The EIS Council has developed a series of handbooks for electric utilities, government, and stakeholders to reduce 
the scope and duration of black sky event. The playbooks determine internal and external requirements for black 
sky survival, along with accompanying exercises and training. The EIS Council has also prepared a number of 
recommendations for improving resilience to black sky events, including recommending the development of 
performance-based metrics for improving resilience to black sky events. The metrics have the potential to be used 
in parallel with the EIS sector-by-sector Black Sky Playbooks to determine internal and external requirements for 
black sky survival and develop compliance lists that each sector would abide by with the potential for incentives 
and reimbursements. 

The Council is in the early stages of creating a working prioritization model with national and international 
partners of interconnected and interdependent systems would cause cascading effects across sectors beyond 
human capabilities. EIS has also initiated a simulation effort for a global infrastructure network optimization 
model (GINOM) to possibly work with relevant interested parties in the private sector and government agencies 
such DOE to explore the potential for joint development of a mapping effort for explicit interdependencies. 

Source: E-PRO Handbook, 2014; EIS Council 
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Appendix E: Sector Interdependencies 

The interconnected nature of the critical infrastructure sectors creates mutual interdependencies that could 
exacerbate the consequences of a catastrophic power outage. There is a lack of understanding of the 
cascading, cross-sector interdependencies between infrastructure and what that means for prioritizing 
backup generation and other limited resources to maintain services and functions during a long-term, 
widespread outage. Understanding the complex interdependencies between electricity and other critical 
infrastructure sectors is key to effectively assessing the impact of a long duration power outage. 

This appendix provides an overview of the interdependencies between electricity and the natural gas, 
communications, financial services, water and wastewater systems, and transportation systems sectors that 
could hinder or prevent power restoration during a catastrophic power outage. 

There are a number of ongoing initiatives focused on building cross-sector coordination. For example, 
exercises in individual sectors are beginning to include additional sectors, and at the state and regional level 
efforts are being made to better understand the risks posed by these interdependencies. This appendix also 
highlights a few of these exercises that have addressed cross-sector issues. 

I. Electricity Mutual Interdependencies 

Electricity is central to the functioning of all other sectors, and a catastrophic power outage would cause 
cascading failures across all of them. 

A. Natural Gas 

The electricity sector is becoming more reliant upon natural gas as a fuel source; from 2002 to 2016, the 
share of electricity generated by gas-fired units increased from 18 percent to about 34 percent while the 
share generated by coal fell from about 50 percent to about 30 percent. 154 EIA has estimated that natural 
gas production will account for almost 40 percent of the U.S. energy production by 2040. 155 DOE found that 
"the electric sector's growing reliance on natural gas raises concerns regarding the ability to maintain bulk 
power system (BPS) reliability when facing constraints on the natural gas delivery systems." 156 

Similar to other sectors, the natural gas sector relies on electricity to operate industrial control and 
businesses systems. This section provides an overview of the structure and market of natural gas systems, 
potential risks, and some ongoing initiatives to build resilience. 

Natural Gas Structure and Markets 

The construction of natural gas pipelines is driven by the market and demand. Pipelines are built to meet 
firm capacity, when there is a willingness and ability of customers (i.e., shippers) to financially commit to the 
gas that would be provided. Limited pipeline capacity in a particular region can be attributed to factors such 
as environmental regulations hindering construction and/or residents who do not want pipelines in their 
communities. Also, there may be a general lack of incentive(s) among the generator community to contract 
for firm service. 


154 DOE, Staff Report to the Secretary on Electricity Markets and Reliability, August 2017. 

155 EIA, Annual Energy Outlook 2017 with Projections to 2050, January 5, 2017. 

156 NERC, Short-Term Special Assessment: Operational Risk Assessment with High Penetration of Natural Gas-Fired Generation, May 2016. 
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The pipeline system is designed to be redundant with segmented pipes and looped/parallel pipelines, 
allowing natural gas to continue to flow despite potential disruptions in one section of the pipeline. 157 
According to a report by members of the Oil and Natural Gas Sector, the natural gas system is highly 
resilient because the production, gathering, processing, transmission, distribution and storage of natural gas 
is geographically diverse, highly flexible and elastic, characterized by multiple fail-safes, redundancies and 
backups. 158 

Natural gas is compressible, which allows natural gas to be stored near markets underground in geological 
formations and as liquefied natural gas (LNG) at aboveground facilities. Most compressor stations are run 
using natural gas and would not be affected by a loss of commercial electricity. If a compressor were to 
cease operating, natural gas could continue to flow, though at a somewhat lower capacity. Some natural gas 
pipeline companies have identified critical locations, including those with electric compressors, and have 
worked with their electricity service providers to ensure they have prioritized power when electricity is 
restored following an outage. 

If the pipelines and the compressor stations that maintain the pressure within them are compromised, gas 
could continue to flow to generators at gradually diminishing levels rather than being abruptly halted. The 
combination of sustained post-event gas flows and rapid restoration could enable generators to face only 
brief, low-impact interruptions. 159 However, compressors and industrial control systems that keep gas 
flowing to power generators and other users, are more reliant on electric power. Some compressor stations 
do have emergency power generators and at least some on-site fuel to sustain operations in a blackout. 
These growing interdependencies create risks of cascading, mutually-reinforcing failures across both the 
Electricity Subsector and Oil and Natural Gas Sectors. 160 

Potential Risks 

Reliance on a single fuel creates the danger of "common mode failures" where a lack of natural gas 
incapacitates multiple generators and disrupts fuel supplies for power generation at the same time, which 
could help create power outages lasting a month or more over multiple regions of the United States. 161 
During a catastrophic outage, on-site fuel supplies for emergency generators will quickly be depleted. 
Massive, multi-sector requirements for fuel resupply would occur and contractors responsible for resupply 
operations will likely be unable to meet these requirements. For example, New England is especially 
susceptible to these concerns because it has limited "failsafe" infrastructure with limited trucking capability 


157 NERC, 2017 Long-Term Reliability Assessment, 2017. 

158 ONG SCC and NGC, Defense-In-Depth: Cybersecurity in the Natural Gas & Oil Industry, September 2018. 

159 Statement of Paul Stockton, Fuel Resilience for the Bulk Power System: Threat-Based Modeling and Analysis. Response to the Grid Resilience 
Order, Grid Resilience in Regional Transmission Organizations and Independent System Operators, 162 FERC H 61,012. May 8, 2018. 

160 Paul Stockton, E-PRO Flandbook II: Volume 1 Resilient Fuel Resources for Power Generation in Black Sky Events, EIS Council, 2016. 

161 Paul Stockton, Resilience for Black Sky Days: Supplementing Reliability Metrics for Extraordinary and Flazardous Events, NARUC, 2014. 
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to serve the entire region and it has a high reliance on natural gas supply and LNG imports to meet winter 
peak loads. 162 


Blackstart Capabilities 

Blackstart generation is used to restart the electric system in a blackout. Blackstart generators can start without 
electricity from the grid and assist in system restoration. This is especially important in the face of a long-term 
outage when power may be out for an extended period of time. The reliance on a single fuel blackstart without 
fuel storage capacity or firm fuel arrangements may cause issues during a restoration event. Single fuel blackstart 
generator owners should develop alternative fuel capability or coordinate with their fuel providers to mitigate this 
risk. Regional Transmission Organizations (RTOs) and Independent System Operators (ISOs) have existing 
blackstart plans that are routinely exercised and built upon, but there is a desire for the government to be more 
involved. 

RTOs and ISOs build relationships with natural gas suppliers to bolster situational awareness. While RTOs and ISOs 
are not able to instruct them how to divert resources, they can work with market participants to identify where 
fuel supplies are running low and assist in that coordination. For example, the energy company ConEd has 
proposed a number of programs and projects to address the growing demand of natural gas in its service area. 

This includes building several new compressed natural gas storage sites to reduce the need for conventional 
pipeline supplies. 

Source: NERC, GridEx IV: Lessons Learned; EPRO Handbook II, Vol. I; Utility Drive, Oct. 5 

Given the limited number of pipelines and supporting gas infrastructure in New England, the loss of even a 
single natural gas compressor station or other gas system facility would create recurring energy shortages 
that would cause frequent and long rolling blackouts. 163 ISO-NE recently implemented two new initiatives to 
address the risk of winter energy shortages by beginning to publish a 21-day look-ahead energy forecast 
that describes expected conditions, from normal to conditions requiring declaration of an energy alert or an 
energy emergency, and a change to ISO-NE energy market. The second initiative, in the daily energy market, 
will provide each generator with an estimated opportunity cost that can be incorporated into its offer price 
for the next day. Each morning, the next day's opportunity costs will be calculated for each generator and 
provided to resource owners. 164 

Natural gas disruptions could also cause ripple effects across supply chains, whose corruption could pose 
significant challenges. 165 There should be conversations among all stakeholders about emergency energy 
diversification because as the nation moves away from traditional energy generation (e.g., coal and nuclear) 
to natural gas, new challenges are created if primary power and backup power are taken out simultaneously 
(e.g., supply chain issue that disrupt the distribution of natural gas). 


162 NERC, 2017 Long-Term Reliability Assessment, 2017. 

163 ISO New England, Operational Fuel-Security Analysis, January 17, 2018. 

164 ISO Newswire, "ISO-NE is implementing near-term changes in both operations and markets to help address the risk of winter energy shortage," 
Press release, November 2, 2018. 

165 NERC, CIP-013-1 - Cyber Security Supply Chain Risk Management Plans, April 2017. 
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In the event of significant damage to physical pipeline 
infrastructure, service restoration for natural gas is 
time-consuming and expensive. Federal authorities do 
not have an estimate on the amount of time it would 
take to recover if natural gas is shut off in a vast 
portion of the U.S. such as the East Coast. 166 A 2018 
report prepared for Southern California Gas examined 
the resilience of natural gas infrastructure in disasters 
and recommended utilities sub-divide their gas 
systems so that when service isolation is necessary it 
can be done on a more granular level. 167 

Existing and Proposed Standards and Guidelines 
There are existing guidelines and plans that direct the 
safety and security of the natural gas pipeline 
system. 168 For example, the Pipeline Security and 
Incident Recovery Protocol Plan (the Plan), was 
completed in 2010 as required by the 9/11 
Commission Act of 2007 169 by the TSA and the 
Pipeline and Hazardous Materials Safety 
Administration (PHMSA). The Plan acted as a 
framework to support the recovery of pipeline 
infrastructure and measures to prevent a security 
incident and enhance pipeline resiliency. 170 Within the 
federal government, the Plan mainly applies to the 
TSA and PHMSA, identifying ways they can provide 
increased security support to the critical interstate and intrastate natural gas and hazardous liquid 
transmission pipeline infrastructure when threatened and how the government will work to ensure 
continued transportation of product following an incident. 

NERC has offered a set of recommendations on opportunities for gas-electric coordination, many of which 
might be supported by data to facilitate broader assessments of fuel resilience and collaborative mitigation 
measures. 171 And while there are NERC standards, NERC reliability standards apply to electric infrastructure, 
not gas transmission lines and other fuel systems on which the grid depends. Natural gas does not have 
mandatory reliability standards directly comparable to the bulk electric system. "We need an in-depth 
understanding of the resilience of our electricity and the related, supporting infrastructure in order to know 
how best to either modify existing market structures or build new resiliency standards into the system." 172 


Natural Gas and Cybersecurity 

The American Petroleum Institute (API), the Natural 
Gas Council (NGC) and the wider membership the 
ONG Subsector Coordinating Council (SCC) released 
a report in October 2018 describing steps the 
industry has taken to improve its resilience to cyber 
threats. The report emphasized the industry's 
preference for voluntary mechanisms including 
frameworks and public-private collaboration, rather 
than rigid standards or regulations to provide the 
necessary flexibility and agility to respond to a 
constantly-changing cyber threat landscape. 

The National Risk Management Center (NRMC) is 
also working with the Transportation Security 
Administration (TSA), Department of Energy (DOE), 
the Federal Energy Regulatory Commission (FERC), 
and the Electric Subsector Coordinating Council and 
Oil and Natural Gas Subsector Coordinating Council 
on cyber and physical risks to natural gas pipeline 
infrastructure. 

Source: ONG SCC and NGC, Defense-in-Depth: 
Cybersecurity in the National Gas and Oil Industry 
report 


166 Blake Sobczak, et al., "Cyber raises threat against America's energy backbone," E&E News, May 23, 2017. 

167 ICF, Case Studies of Natural Gas Sector Resilience Following Four Climate-Related Disasters in 2017, Southern California Gas Co, 2018. 

168 DHS, Pipeline Security Guidelines, March 2018; Behr, Peter and Blake Sobczak, "TSA to expand gas pipeline cybersecurity oversight," E&E News, 
December 22, 2017. 

169 9/11 Commission Act of2007. Pub. L. 110-53. 

170 A security incident is any event determined by DHS/TSA to be significant enough to begin monitoring the situation for further developments. 

171 Statement of Paul Stockton, Fuel Resilience for the Bulk Power System: Threat-Based Modeling and Analysis. Response to the Grid Resilience 
Order, Grid Resilience in Regional Transmission Organizations and Independent System Operators, 162 FERC H 61,012. May 8, 2018. 

172 Bruce Walker, Testimony Before the United States Senate Committee on Energy and Natural Resources, January 23, 2018. 
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The Oil and Natural Gas Sector Coordinating Council (ONG SCC) is working closely with other sectors through 
Information Sharing and Analysis Centers (ISACs), through DOE and DHS tabletop exercises (e.g., GridEx, 
National Level Exercise (NLE), ClearPath), through state-led exercises, and through direct coordination with 
the ESCC. 

B. Communications Sector 

Restoration and recovery are next to impossible without working communications. Existing plans and 
exercises across all sectors rely on the ability to coordinate response through voice or data communications. 
Current emergency communications systems are unlikely to provide the multi-sector connectivity and 
interoperability that will be essential in catastrophic power outages. 173 Voice and data communications are 
used for normal business functions (e.g., personnel records, payroll systems) and for supervisory control and 
data acquisition (SCADA), crew dispatch, and control of electricity generation and delivery. 

Communication networks were designed for power outages that are infrequent or of short duration; backup 
generators and fuel storage are designed to support an outage of a few hours to a few days. 
Communications systems will require fuel for generators, but pipeline pumping stations, storage depots, 
and truck distribution could be affected by a catastrophic power outage, preventing the necessary resupply 
needed for communications networks to continue to operate. Due to its limited lifespan, current battery 
technology would most likely not have a significant impact in reducing dependencies and/or 
interdependencies during a long-term outage. 174 

Without communications, crucial sector operations would grow increasingly difficult over extended periods 
of time since manual operations, when they are possible, depend on timely communications. Most 
companies have satellite-based phones and radio communications, but these systems need to be properly 
maintained and tested. 

The President's National Security Telecommunications Advisory Council (NSTAC), a presidential advisory 
council focused on reliable telecommunications, released two reports in 2006 on the interdependency 
between communications and electric sector and how this could be impacted by a long-term outage in one 
or both sectors. While the reports were completed more than a decade ago, a number of the conclusions 
and recommendations are still relevant. For example, the need to identify and prioritize adequate fuel 
resupply to maintain backup power for communication systems, and the lack of clarity on the transition 
from local to national management of a long-term outage. 175 

There are a number of ongoing efforts to address emergency communications platforms and processes and 
prior efforts may provide lessons learned. 

Prior Efforts 

• The Critical Infrastructure Warning Information Network (CWIN) was a DHS program designed to 
create a hardened communications system as a stand-alone, independent network that connected 
the government and critical sector owners and operators to coordinate recovery and reconstruction 
following an event. CWIN was established in 2001 and funded through 2010, with a budget of $30 
million in 2003 alone. During its existence, CWIN included 51 state Emergency Operation Center 


173 EIS Council, "Black Sky Emergency Communication & Coordination System: BSX." 

174 CSCC and Communications-ISAC, "Communications Sector Response to DHS Data Call - Executive Order 13800," July 28, 2017. 

175 NSTAC, NSTAC Report to the President on Telecommunications and Electric Power Interdependencies: The Implications of Long-Term Outages, 
December 2006. 
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(EOCs), 163 federal and state representatives, and had 160 client terminal sites across the United 
States, and all states and the main ISACs were connected. 176 Though it is unclear why CWIN was 
discontinued because by all assessments it was well managed and operating effectively, CWIN may 
have been have had too high a price tag and come before its time because there was no protocol on 
information sharing liability in the early 2000s. 

Ongoing Initiatives 

• The Electricity Subsector Coordinating Council (ESCC) Resilient Communications Working Group 

has identified the need to update, modernize, and move some of the underlying systems out of 
private networks partially because real-time coordination across multiple sectors makes voice and 
data telecommunications critical for operation of the grid. 177 This Working Group has created a 
policy principle statement supporting emergency communications to validate and formalize the 
current work being done with the Communications Sector. The ESCC has also recommended that 
some form of backup communications capability to restore the grid after a major disaster needs to 
be created. 

• The Black Sky Emergency Communications and Coordination System (BSX) —an interoperable, 
secure system that can incorporate a range of communication technologies to support grid re-start 
activities—is being developed by the EIS Council as a means to provide secure communications 
during an event. 178 A BSX system will have the ability to: 179 

o Survive electromagnetic pulse (EMP) attacks, cyberattacks, catastrophic earthquakes, and 
other black sky hazards 

o Continue functioning in the absence of grid-provided power for a month or more 
o Withstand adversarial efforts to disrupt communications or corrupt the integrity of data 
flows 

o Provide critical voice and data connectivity for situational awareness, sustainment, and 
restoration operations across multiple regions of the United States 
o Provide an engine for decision support, keyed to the unique requirements of the local users' 
equipment, sector by sector, adequate to help manage the scale of a black sky complex 
catastrophe 

■ There could be reinvestments to FNARS (FEMA's National Radio System)—the 
Agency's high frequency (HF) radio network that provides a minimum essential 
emergency communications capability among federal, state, local commonwealth, 
and territorial governments in times of national, natural and civil emergencies. 180 

C. Water and Wastewater Systems Sector 
Water and energy are resources that are reciprocally and mutually linked, because energy needs require 
water—through mining, fuel production, hydropower, and power plant cooling—and water needs energy— 
to pump it, treat it, distribute it, and discharge wastewater. 181 There are almost 200,000 drinking water 
treatment systems in the United States, and roughly 15,000 water treatment facilities. 182 About 85 percent 


176 DHS, "IT Program Assessment: NPPD - Critical Infrastructure Warning Information Network (CWIN);" DHS, "Privacy Impact Assessment for the 
Critical Infrastructure Warning Information Network," January 7, 2006. 

177 NSTAC, NSTAC Report to the President on Telecommunications and Electric Power Interdependencies: The Implications of Long-Term Outages, 
December 2006. 

178 EIS Council, "Black Sky Emergency Communication & Coordination System: BSX." 

179 Paul Stockton, E-PRO Handbook III Cross-Sector Coordination and Communications in Black Sky Events, EIS Council, 2018. 

180 FEMA, "Non-Federal Outreach and Technical Assistance Offerings." 

181 Claudia Copeland and Nicole T. Carter, Energy-Water Nexus: The Water Sector's Energy Use, Congressional Research Service, January 24, 2017. 

182 NIAC, Water Sector Resilience: Final Report and Recommendations, June 2016. 
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of the U.S. is supplied by 5 percent of the drinking water system, while the 15,000 water treatment facilities 
serve over 75 percent. 183 

The Energy Sector's water consumption is projected to rise 50 percent from 2005 to 2030. 184 According to a 
2010 Congressional Research Service report, "The more water used by the energy sector, the more 
vulnerable energy production and reliability is to competition with other water uses and water 
constraints." 185 

Without water services, factories shut down, hospitals close, communities are disrupted, and most hotels, 
restaurants, and businesses cease operations. 186 If water and wastewater systems failed in communities 
across multiple states or U.S. regions, the societal consequences and risk to the lives and safety of affected 
populations would be difficult to overestimate. 187 As the U.S. Environmental Protection Agency (EPA) put it, 
"water infrastructure damage can adversely affect the operation of all other critical infrastructure sectors. 
Conversely, damage to other critical infrastructure sectors could negatively affect drinking water and 
wastewater services, thereby creating an infrastructure interdependency." 188 

A growing number of electric utilities are installing their own emergency power generators or arranging with 
partners (including the U.S Army Corps of Engineers (USACE)) to install generators when an emergency 
strikes. Many utilities are also expanding their capacity to store generator fuel onsite, and are improving 
their ability to provide mutual assistance when severe events occur. 189 

The EIS Council has been working with American Water, Aqua America, and the American Water Works, 
developing black sky playbooks and a Water Sector Electric Infrastructure Protection (E-PRO) Handbook for 
individual water and wastewater systems. A 2016 E-PRO Handbook recommended establishing minimal 
sustainable service levels with infrastructure investments and developing plans to achieve those service 
levels to strengthen the resilience and ability of water and wastewater systems to sustain emergency 
operations. 190 

A 2018 American Water Works Association after-action report on Hurricanes Harvey and Irma, 
recommended that DHS and FEMA establish a policy that designates water and wastewater services as top 
priorities for power restoration. 191 The report emphasized that given the critical lifeline functions the Water 
and Wastewater Systems Sector provide communities for response and recovery such as fire protection and 
public health and safety, water systems should have top priority status when power supply is at risk. 192 
Sustaining drinking water and wastewater services reduces pressure on other emergency management 
needs, supports shelter in place capabilities and allows for continued economic activity. 193 


183 NIAC, Water Sector Resilience: Final Report and Recommendations, June 2016. 

184 Nicole T. Carter, Energy's Water Demand: Trends, Vulnerabilities, and Management, Congressional Research Service, November 24, 2010. 

185 Ibid. 

186 NIAC, Water Sector Resilience Final Report and Recommendations, June 2016. 

187 Paul Stockton, E-PRO Flandbook II: Volume 2 Water: Water Sector Resilience for Black Sky Events, EIS Council, 2016. 

188 EPA, "Understanding Water Sector Interdependencies." 

189 Paul Stockton, E-PRO Flandbook II: Volume 2 Water: Water Sector Resilience for Black Sky Events, EIS Council, 2016. 

190 Ibid. 

191 American Water Works Association and Water/(WARN), Flurricanes Harvey and Irma After-Action Report, 2018. 

192 Ibid. 

193 Ibid. 
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D. Transportation Systems Sector 

In 2017, 29 percent of U.S. energy consumption was for transporting people and goods. 194 As the NIAC 
noted in its 2015 Transportation Sector Resilience: Final Report and Recommendations, "America's 
transportation system is a very complex 'system of systems,' with seven distinct modes; a diverse ownership 
across the private sector and federal, state, local, and regional jurisdictions; and a vast array of services to 
move people and freight. This diversity complicates transportation planning, funding, design, and operations 
and presents significant challenges for integrating resilience into infrastructure and organizational 
practices." 195 The seven distinct modes include: aviation, highway and motor carrier, maritime 
transportation system, mass transit and passenger rail, freight rail, postal and shipping, and pipeline 
systems. 196 

Limited or degraded transportation systems in an affected area during a catastrophic power outage could 
hinder response and restoration by delaying supplies or preventing individuals from traveling to their homes 
or other safe areas. 

The Pacific Northwest Cascadia Rising Exercise determined that catastrophic plans were inadequate for a 
scenario of that magnitude because current response plans are developed assuming that fundamental 
capabilities, such as communications and transportation, would be functional. 197 The exercise determined 
that failure to quickly prioritize critical transportation routes for evacuation and clearance delayed the 
restoration of key routes in and out of impacted areas and that an over reliance on single modes of 
transportation, such as rotary-wing aircraft, quickly created a bottleneck. Most notably, the exercise 
illuminated that transportation agencies tend to function in silos, with minimal collaboration with other 
participating entities to pool information and assets, causing information gaps and a lack of awareness of 
resources available for assistance. 

This was notable after Hurricane Maria struck Puerto Rico. One of the biggest lessons learned and massive 
limiting factor for response on the island was the time and effort to get supplies and personnel to the island. 
In the continental United States, supplies can be sent through a variety of methods (e.g., truck, rail, plane), 
but there were only two ways to get supplies to Puerto Rico—airports and sea ports—both of which were 
damaged. Given the limited ways to transport supplies, they were only able to send a certain number of 
planes each day. The result was that supplies for power restoration were competing with public health and 
safety supplies and priorities. 

E. Financial Services Sector 

The Financial Services Sector consists of investment institutions, insurance companies, credit and financing 
organizations, and the infrastructure that enables these businesses to function. 198 Financial Services Sector 
disruptions can also have cascading impacts on other sectors that require financial data systems for day-to- 
day operations. For example, in 2012, several financial institutions large and small withstood coordinated 
distributed denial-of-service (DDoS) attacks. 199 


194 EIA, Monthly Energy Review, Table 2.1, April 2018. 

195 NIAC, Transportation Sector Resilience: Final Report and Recommendations, July 10, 2015. 

196 DHS, "Transportation Systems Sector: Sector Overview." 

197 FEMA, Emergency Managers Announce Improvements After Cascadia Rising Exercise, June 7, 2017. 

198 DHS, "Financial Services Sector." 

199 DHS, "Financial Services Sector-Specific Plan 2015." 
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The Electricity and Financial Services Sectors are not only interconnected, but also underpin all other 
sectors. 200 The Homeland Security Advisory Council (HSAC) Cybersecurity Subcommittee stated in its 2016 
report that these sectors along with the Communications Sector face rapidly growing cyber threats, and 
because of other sectors' reliance on them, could be attractive targets for a cyber attack. 201 

In 2016, the CEOs of eight banks—Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan 
Chase, Morgan Stanley, State Street and Wells Fargo—came together to proactively identify ways to 
enhance the resilience of the critical infrastructure underpinning much of the U.S. financial system. They 
created a long-term strategic initiative that performs deep analyses of systemic risk across financial products 
and practices, known as the Financial Systemic Analysis and Resilience Center (FSARC). The FSARC’s mission 
is to proactively identify, analyze, assess and coordinate activities to mitigate systemic risk to the U.S. 
financial system from current and emerging cyber security threats through focused operations and 
enhanced collaboration between participating firms, industry partners, and the U.S. Government. 202 

The FSARC leverages the expertise of participating banks' information/cyber-security teams with that of its 
government partners, including the Department of Treasury, DHS, and the Federal Bureau of Investigation 
(FBI). 203 


II. Cross-Sector Exercises 

There are a number of existing exercises that bring together key stakeholders across industry and 
government to test plans, identify gaps that need to be addressed, and develop relationships before disaster 
strikes. This section provides an overview of some recent exercises that could be enhanced or built upon to 
test preparedness and response to a catastrophic power outage. 

A. GridEx IV 

NERC conducted its fourth biennial grid security and emergency response exercise, GridEx IV, from 
November 15-16, 2017. 204 With 6,500 individuals and 450 organizations participating across industry, law 
enforcement, and government agencies, GridEx IV provided an opportunity for various stakeholders in the 
electricity sector to respond to simulated cyber and physical attacks that affect the reliable operation of the 
grid, fulfilling NERC's mission to assure the effective and efficient reduction of risks to the reliability and 
security of the BPS. 205 

Led by NERC's E-ISAC, GridEx IV was the largest geographically distributed grid security exercise to date. In 
addition to the distributed play portion of GridEx IV, a six-hour executive tabletop involved industry 
executives and senior government officials. 206 The tabletop was facilitated as a structured discussion for 
industry and government to share the actions they would take and issues they would face in responding to 
the scenario. Participants articulated the severe limitations and barriers that would need to be addressed, 
both independently and collaboratively, to respond. 207 


200 NIAC, Securing Cyber Assets, August 2017. 

201 HSAC, Final Report of the Cybersecurity Subcommittee: Part l-lncident Response, 2016. 

202 "Financial Systemic Analysis & Resilience Center Appoints Scott DePasquale As President," PRNewswire, March 15, 2017. 

203 FS-ISAC, "FS-ISAC Announces the Formation of the Financial Systemic Analysis & Resilience Center (FSARC)," News Release, October 24, 2016. 

204 NERC, Grid Security Exercise GridEx IV: Lessons Learned, March 2018. 

205 Ibid. 

206 Ibid. 

207 Ibid. 
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The exercise identified some action items that need to be addressed. The most relevant for this study 
include: 208 

• The need for increased shared understanding of the risk environment in different communities from 
a long duration power outage to ensure there are answers before an event occurs. 

o This would require a coordinated effort starting at the local level then to the state and 
federal level, with clear roles and responsibilities across all parts of government to divide or 
align efforts. 

• There has been no assessment of the mismatched supply of generators and fuel for backup 
generators across multiple infrastructure sectors. 

• The government needs to provide continual, proactive support through tighter coordination with 
industry. 

o The government needs to stop providing episodic support and simply reacting to events, 
and provide continuous support to industry through increased coordination. 

• Expand GridEx IV further because the current exercise did not offer an effective opportunity for 
electric utilities to exercise their external communications response plans with external 
organizations, such as law enforcement and state emergency managers. 

B. Dark Sky Exercise 

In May 2018, the State of Wisconsin held Dark Sky, which simulated a long-term, mass power outage across 
a wide swath of Wisconsin (45 counties—approximately two-thirds of the state—affecting 2.8 million 
people) to test how Wisconsin Emergency Management (WEM), local emergency management officials, the 
Wisconsin National Guard, first responders, and private utilities would respond to an outage's second and 
third order effects. 

The purpose of the exercise was to test existing emergency and contingency plans, and to increase the 
understanding of the coordination, policies, and procedures required to conduct a Joint Inter-Agency 
response to cyber and physical threats and subsequent attacks on infrastructure. 

The exercise was conducted May 15-17, 2018 at 19 
different locations in Wisconsin and included more 
than 1,600 participants from more than 240 agencies 
and departments across all levels of government and 
the private sector. It also included a cyber range to 
simulate a cyber-physical attack on grid infrastructure, 
which brought together public and private sector 
participants as part of a Red Team/Blue Team scenario. 

The exercise was also an opportunity for the state to 
test its separate secure fiber line that connects the 
State Emergency Operation Center, Joint Operations 
Center and key private sector entities. 

Dark Sky was the culmination of a multi-year planning cycle, which built on the state's participation in prior 
exercises include GridEx IV November 2017 and the 2017 and 2018 annual Statewide Mobile Interoperable 
Communications exercises. The state was also part of FEMA Region V POIA planning and workshops. 


In March 2015, the Wisconsin Department of 
Military Affairs (which includes the Wisconsin 
National Guard and WEM) and the seven private 
sector electric utilities in the state formally 
established a public-private partnership. In 2017, 
the parties established the Wisconsin Utilities 
Coordination Group to support joint planning and 
formalize a system to coordinate activities during 
an emergency. 

Source: Wisconsin Department of Military Affairs 


208 NERC, Grid Security Exercise GridEx IV: Lessons Learned, March 2018. 
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Wisconsin used the exercise to test a draft emergency fuel plan and state-level fuel stakeholder 
coordination procedure. The state intends to use lessons learned from Dark Sky to inform development of a 
statewide emergency fuel plan. 

C. Cascadia Rising 

The Cascadia Rising 2016 Exercise was a two-year effort to test and validate catastrophic plans for a 9.0 
magnitude earthquake along the 700-mile Cascadia Subduction Zone (CSZ) fault with subsequent tsunamis 
and aftershocks, impacting California, Oregon, Washington, and potentially Idaho. 209 

The exercise spanned local, state, tribal, and federal governments, the military, private sector, and non¬ 
governmental organizations (NGOs) in a simulated field response to the aftermath of a disastrous CSZ 
earthquake and tsunami. Specifically, the exercise aimed to test the ability of EOCs in the region to 
coordinate and communicate priorities and objectives, share situational information, and request, order, 
and transport life-saving resources to impacted areas in the event of such a scenario. 

The exercise highlighted that catastrophic plans should encompass the full planning process; from 
formation, understanding the scenario, determining goals and objectives, decision making, to development, 
implementation, and maintenance. Clear and aligned prioritization system should be developed for local 
areas to work with state and federal entities. Other lessons learned most relevant to this study include: 

• Jurisdictions should anticipate widespread communications outages and pre-identify alternate 
communication strategies before a catastrophic event occurs. 

o The pocket of communication infrastructure that will remain accessible and functional in a 
heavily degraded state will need to be able share vital information to the public with the 
correct messaging. 

• All jurisdictions should consider extending access to their information management and 
collaboration systems to external partners as needed, while ensuring the appropriate moderation 
and maintenance required to sustain any increased access. 

• Partnerships with private and military assets would greatly expand the transportation options 
available. Processes for formalizing new relationships need to be streamlined to an expedited 
process during disaster response. 

D. Liberty Eclipse 

DOE's Liberty Eclipse exercise in November 2018, was intended be a "hands-on" test of the grid's ability to 
bounce back from a blackout caused by simulating the painstaking process of re-energizing the power grid 
while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure. 210 

The goal of the Liberty Eclipse exercise was to prepare the response to a major incident caused by cyber 
attacks that could be frequent events in the near future. The exercise emphasized that utilities that have to 
restore electricity following massive blackouts first need to provide initial jump of electricity before they can 
start generating it. 211 The 2018 Liberty Eclipse exercise focused on re-energizing the grid and was expected 
to further examine the electric sector's reliance on natural gas. 212 It featured a two-day tabletop exercise for 


209 FEMA, Emergency Managers Announce Improvements After Cascadia Rising Exercise, June 7, 2017. 

210 Blake Sobczak, "DOE to vet grid's ability to reboot after a cyberattack," E&E News, August 3, 2018. 

211 Pierluigi Paganini, "Dept, of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks," Security Affairs, August 6, 
2018. 

212 Blake Sobczak, "DOE to vet grid's ability to reboot after a cyberattack," E&E News, August 3, 2018. 
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grid and oil and natural gas representatives, ahead of an operational drill of the step-by-step process for 
restoring electricity following massive blackouts. 213 

An after-action report is planned that will contain lessons learned and strategies to protect the grid against 
emerging cyber threats. 214 DOE aims to make the Liberty Eclipse exercise a recurring, regionally focused 
supplement to GridEx. 


213 Blake Sobczak, "DOE to vet grid's ability to reboot after a cyberattack," E&E News, August 3, 2018. 

214 Ibid. 
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Appendix F: Individual and Community Preparedness 
Efforts 

Ultimately all events, from small to large disasters, are local. 215 This means that those closest to impacted 
areas are the true first responders during any emergency or disaster—from individuals to families to 
neighbors and local communities. 216 However, there remains an ongoing myth that the federal government 
will be able to provide assistance and resources directly after an event to help with response and that is not 
always the case. 

State and local governments have a better understanding of needs of their communities and have 
established relationships with owners and operators that will need to be called on following an event. 
Therefore, a solid capacity at the local and state level to respond to the needs of people is of upmost 
importance. The more communities can do to focus on preparedness before an event occurs, the more 
likely they are to have better outcomes following an event. 

However, not all communities are at the same level of preparedness. This means that any planning needs to 
recognize that each community exists in its own context and there is not a one-size-fits-all approach for 
preparedness. 

As the frequency and severity of disasters increases, there are two key ways communities build up their 
capacity and capabilities: 

1. Accountability at the individual level for people and the local community. 

2. Investment in infrastructure and community development that can make a big difference in a 
community's resilience. 

State and local efforts are necessary to build community and individual resilience. This includes increased 
outreach and education for businesses and the general public on steps they can take to survive in place, 
improved personal preparedness, and support and sustainment of the local workforce that will be critical to 
infrastructure restoration. 

There are a number of ongoing efforts aimed at building individual and community resilience, including 
state initiatives and the work being done by the National Institute of Standards and Technology (NIST) 
Community Resilience Program. This appendix provides a high-level overview of those efforts. 


National Voluntary Organizations Active in Disaster 

The NVOAD is a nationwide coalition of organizations that work together to help communities prepare for and 
recover from disaster. It is made up of NGOs, faith-based and community-based organizations and promotes 
cooperation, communication, coordination, and collaboration among members to create a more effective delivery 
of services to communities affected by disaster. 

NVOAD also provides specific liaisons to work at designated DHS/FEMA locations to support ESF #6. 

Source: FEMA, ESF #6 Fact Sheet 


215 FEMA, DHS, "Unit Four: Emergency Management in the United States," Training. 

216 FEMA, 2018-2022 Strategic Plan, 2018. 
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I. Examples of State Government Initiatives for Community 
Preparedness 

Although federal and state entities provide preparedness resources to individuals through websites, 
campaigns, and pamphlets, examples observed in the state of Washington, Oregon, and Hawaii reveal 
additional possible efforts that could better ensure the safety of the public during a catastrophic power 
outage. 

• Washington: After the 2016 Cascadia Rising 
exercise—which tested the Pacific Northwest's 
ability to not only survive but recover from a 
Cascadia Subduction Zone earthquake and 
resulting tsunami 217 —identified issues with 
transportation, evacuation, sheltering and 
significant time before regional response 
agencies and neighboring states send 
assistance, 218 Washington and representatives 
from regions, cities, and counties of the entire 
state, voted to change the disaster 
preparedness timeline previously at 3 days to 
14 days or more. The state has provided 
information on creating a Disaster Go To Kits 
and ways to stockpile food within homes. 219 

• Oregon: Oregon's Office of Emergency 
Management encourages people to be prepared to be on their own for a minimum of two weeks, 
and details guides in time increments, from 2 minutes, 2 hours, 2 days, and 2 weeks after an 
event. 220 This lessens the strain on emergency responders who need to focus limited resources on 
injured and other vulnerable populations immediately following a disaster. 221 

• Hawaii: Hawaii's Emergency Management Agency (HI-EMA) launched a 2 Weeks Ready Campaign to 
inform the public of the necessary plans, kits, and procedures for a disaster with wide-spread 
impacts beyond the standard 72 hours. 222 There is also a Hawaii Hazards Awareness and Resilience 
Program (HHARP) to help communities prepare to be self-reliant during and after events. 223 


Community Emergency Response Team (CERT) 
Program 

FEMA's Community Emergency Response Team 
(CERT) program is designed to help communities 
prepare for effective disaster response through 
training and preplanning. CERT educates volunteers 
about disaster preparedness for the hazards that 
may impact their area and trains them in basic 
disaster response skills, such as fire safety, light 
search and rescue, team organization, and disaster 
medical operations. There are over 2,700 local CERT 
programs nationwide, with more than 600,000 
individuals trained since CERT became a national 
program. 

Source: FEMA, Community Emergency Response 


217 FEMA, Cascadia Rising 2016 Exercise: Joint Multi-State After Action Report, September 6, 2016; Emergency Management Division Washington, 
"Preparedness." 

218 "Disaster Preparedness - 3 Days, (72 Hours) is NOT Sufficient," Website for the City Of Ocean Shores. 

219 "Snohomish County Disaster Preparedness Guide," snohomishcountywa.gov, January 2017. 

220 Oregon Office of Emergency Management, "Communicating during & after emergencies." 

221 "2 Weeks Ready," Oregon.gov. 

222 Eric Holdeman, "Hawaii Opts for 14 Days Preparedness," Emergency Management, August 22, 2018; HI-EMA, 2 Weeks Ready Brochure, August 
2018. 

223 HI-EMA, "Hawaii Hazards Awareness and Resilience Program (HHARP)." 
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II. National Institute of Standards and Technology Community 
Resilience Program 

NIST has been working on developing community resilience planning and related guidance tools designed to 
be community-driven and incorporated into existing efforts for a number of years. Part of this effort is the 
NIST Community Resilience Program, which began in 2014 in response to several large-scale disasters. 224 

The program is designed to: 225 

1. Develop science-based tools and metrics to support and measure resilience at the community level 
and support economic evaluation of alternative solutions to improve resilience. 

2. Engage community resilience stakeholders for feedback for products, such as guidance, tools, and 
metrics, for planning and implementing resilience measures. 

3. Learn from events that have impacted the built environment to better understand adverse hazard 
impacts on communities and develop improved tools and methods for field studies. 

The program is meant to be locally led. The community resilience planning and related guidance tools, 
including economic decisions guides and community resilience planning guides, are designed to be 
community-driven and incorporated into existing efforts. 226 Through the guidance, communities can 
establish collaborative planning teams who do the bulk of the work, and engage a larger stakeholder 
network to inform the process. 

To emphasize that the program's solution are not imposed on a community, but rather developed 
consistent with a community's capacity to build, maintain, and operate over time, NIST is initiating a 
program call the Community Resilience Panel. 227 Because engagement across the community is key to 
ensure all stakeholders are bought into the process and its end result, this panel within communities will 
promote collaboration among stakeholders to strengthen the resilience of buildings, infrastructure, and 
social systems upon which communities rely. 228 Cities, counties, and communities need to define what 
resilience should look like for them, such as determining their unique critical functions or locating vulnerable 
populations. NIST's approach is to develop tools that can be implemented locally to help develop the 
capacity at the local levels. 

The first major deliverable of the Community Resilience Program was the Community Resilience Planning 
Guide for Buildings and Infrastructure Systems report, released in 2015. 229 The Guide offers a six-step 
process to develop community resilience containing resilience plans that drive or complement ongoing 
resilience improvement planning across communities. Since the Guide's release, several communities have 
begun to use it to develop resilience plans. Some examples include: 230 

• Fort Collins, Colorado used the Guide to address government, education, healthcare, and 
community service organizations that provide shelter during emergencies. 


224 NIST, "Community Resilience Program.” 

225 Ibid. 

226 Ibid. 

227 Ibid. 

228 Ibid. 


229 Stephen A. Cauffman, Community Resilience Planning Guide for Buildings and Infrastructure Systems: Observations on Initial Implementations. 
NISTIR 8229, September 2018. 

230 Ibid. 


67 


K I I A The President's National 
I N l/\V^ Infrastructure Advisory Council 





Catastrophic Power Outage Study 


• Delaware Department of Transportation (DelDOT) used the Guide to support two highway corridor 
assessments and as a reference in the development of Maryland's Strategic Implementation Plan for 
Climate Change, Sustainability, and Resilience for Transportation. 231 

• Howard County, Maryland used the Guide as it was in the process of developing a recovery plan for 
the county that used the NIST Guide as a reference. 

NIST has also done work to identify building clusters or the buildings within communities that provide 
crucial services or functions. 232 Every building and infrastructure system is not needed immediately 
following a hazard event. The time needed to achieve community recovery depends on the extent of 
damage, the overall physical and mental health of the community, dependencies between systems, the 
characteristics of the community's economy, the governance structure, and the availability of financial 
resources. Therefore, it is important that these factors be known and understood across a community to 
support recovery. 233 Setting specific performance goals for building clusters communities will shape the 
sequence of recovery activities for their built environment and identify dependencies between systems. This 
can help communities identify sheltering capacity, and other needs. 234 


231 Delaware Department of Transportation, Strategic Implementation Plan for Climate Change, Sustainability & Resilience for Transportation July 
2017. 

232 NIST, Guide Brief 11 - Determining Building Cluster Performance Goals, NIST Special Publication 1190GB-11. 

233 Ibid. 


234 Ibid. 
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Appendix G: Lessons Learned from 2017 Disasters 

The federal government, SLTT governments, and utilities currently have robust systems and processes in 
place to respond to disasters we have previously experienced (e.g., hurricanes) even if an event is more 
severe than those previously experienced. These entities continue to learn from each event and incorporate 
the experiences and knowledge to improve preparedness and response for similar future disasters. 

During the course of the study, the nation experienced a number of severe disasters causing loss of life, 
destruction of communities, and billions of dollars in damage. 

This study did not focus on preparedness, response, and recovery from hurricanes, wildfires, and other 
disasters; rather it focused on events beyond modern experience. However, the lessons learned from prior 
events, including the disasters that took place in 2017 and 2018 provided the NIAC with a better 
understanding of current response plans and the challenges that the nation may face in a catastrophic 
power outage. This appendix provides a high-level overview of the information most relevant to this study, 
and should not be considered a comprehensive summary of the disasters and their impact, or lessons 
learned. 


I. Overview of the 2017 Disasters 

In 2017, four near-sequential disasters—Hurricane Harvey, Hurricane Irma, Hurricane Maria, and the 
California wildfires—created an unprecedented demand for federal disaster response and recovery 
resources. 235 It was the most active hurricane season since 2005, and was the seventh most active season in 
historical record dating back to 1851. 236 The 2017 hurricanes and wildfires collectively affected 47 million 
people—nearly 15 percent of the nation's population. 237 The cumulative to the U.S. was $306.2 billion, 
breaking the previous cost record of $214.8 billion from 2005. 238 Specifically, 2017 had 17 named storms, 10 
of which became hurricanes including 6 major hurricanes (Category 3, 4, or 5); 239 the strongest Atlantic 
Ocean hurricane on record with winds peaking at 185 mph (Hurricane Irma); 71,499 wildfires; 240 and greater 
amount of DOD contracts and mission assignments for the response to the California wildfires than the 
hurricane response in support of Texas and Florida combined. 241 

A. Puerto Rico 

In September 2017, Hurricane Irma caused significant damage to Puerto Rico, leaving over a million 
residents without power. Before the island could move from response to recovery efforts, Hurricane Maria 
further destroyed and caused widespread failure to the island's power grid, resulting in the longest power 
restoration mission in U.S. history. 242 It is also the largest and longest federal response to a domestic 
disaster, including being the longest air mission for FEMA, the largest medical response ever, and the largest 
power restoration mission. 243 


235 GAO, "2017 Hurricanes and Wildfires," September 2018. 

236 NOAA, "Extremely Active 2017 Atlantic Hurricane Season Finally Ends," November 30, 2017. 

237 FEMA, 2018-2022 Strategic Plan, 2018. 

238 NOAA, "Hurricane Costs," Last modified October 17, 2018. 

239 NOAA, "Extremely Active 2017 Atlantic Hurricane Season Finally Ends," November 30, 2017. 

240 NIFC, "Total Wildland Fires and Acres (1926-2017). 

241 FEMA, 2018-2022 Strategic Plan, 2018. 

242 Rhodium Group, "America's Biggest Blackout," 2018. 

243 FEMA, "Puerto Rico One Year after Hurricanes Irma and Maria," Press release, September 6, 2018. 
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In the immediate aftermath, more than 80 percent of the island's power lines were knocked down in the 
Category 4 winds—uprooting much of Puerto Rico's infrastructure and leaving all 3.6 million residents 
without power and 90 percent of cell towers were out of service. 244 Almost full power was restored to the 
entire island 11 months after Hurricane Maria hit, with 
only small pockets of outages due to geography 
constraints or the need for new transmission lines. 245 

There were cascading second-, third-, and fourth-tier 
effects stemming from the loss of power. Water pumps 
shut off 246 and water testing labs were affected, causing 
further delays in accessing safe, potable water. 247 
Damage to pharmaceutical manufacturing facilities 
caused a shortage of saline IV bags across the United 
States. 248 With no way to keep money flowing, the 
Treasury Department sent $250,000 in cash to allow 
commerce to continue on the island. 

Puerto Rican officials initially announced that 64 people 
died as a result of Hurricane Maria. 249 A 2018 study 
reported that the estimate was much higher at 2,975 
people. 250 

II. Lessons Learned 

As discussed throughout the report, the federal 
government, SLTT governments, and utilities 
continuously look for ways to improve emergency 
preparedness and response whether from an exercises 
or actual events. This section includes insights gathered 
during interviews and from after-action reports. 

A. Utility Lessons Learned 

The 2017 hurricanes reinforced that there is no easy or one-size-fits-all solution. The NIAC learned that in 
most cases, mutual assistance continues to be an effective way for utilities to quickly and efficiently restore 
service; but this can be dependent on geography and company structures. The pre-positioning of resources 
and working closely with SLTT and federal partners also helps utilities respond more efficiently. Finally, 
investments in infrastructure hardening and system modernization ahead of a disaster can make help 
reduce the impact and/or speed restoration. Other lessons learned, include: 


2018 Disasters 

This year also brought a number of severe storms 
and disasters: 

• The 2018 hurricane season was the most 
active recorded for Pacific Ocean storms with 
Hurricanes Lane, Rosa, Sergio, and Willa. 

• Hurricane Florence had the second highest 
rainfall after Hurricane Harvey causing an 
estimated $13 billion in damages. 

• Hurricane Michael was the most powerful 
storm to hit the Florida Panhandle on record. 

• The 2018 Camp Fire is the deadliest and most 
destructive fire in California history. As of 
November 26, 2018, it destroyed 18,000 
structures, burned 153,000 acres, and killed 
85 people. 

• The Mendocino Complex fire that began in 
July 2018, was the largest recorded fire in 
California burning 459,123 acres. 280 
structures were destroyed, including 157 
residences, killing a firefighter and injuring 
four others. 

Source: The Washington Post, Sept. 19; ABC 13 
Eyewitness News, November 19; ABC 11 Eyewitness 
News, Sept. 26; USA Today, Oct. 23 


244 FCC, Communications Status Report for Areas Impacted by Hurricane Maria, September 27, 2017. 

245 Jessica Resnick-Ault, "Puerto Rico finally restored power to the entire island - 328 days after Hurricane Maria hit," Business Insider, August 15, 
2018. 

246 John Humphrey, "7 Things About Life in Puerto Rico with No Electricity," IEEE Spectrum, December 4, 2017. 

247 Sara Reardon, "Puerto Rico struggles to assess hurricane's health effects," Nature, November 15, 2017. 

248 Sarah Baker, "Are we doing enough to protect the health care supply chain?" The Hill, March 30, 2018. 

249 Puerto Rico Public-Private Partnerships Authority, An Economic and Disaster Recovery plan for Puerto Rico, July 9, 2018. 

250 Milken Institute School of Public Health, George Washington University, Ascertainment of the Estimated Excess Mortality From Hurricane Maria in 
Puerto Rico, 2018. 
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• Fast and efficient restoration is dependent on prior training, established mutual assistance 
agreements, and investments in new technology. For example, before, during and after Hurricane 
Harvey, CenterPoint—the energy utility covers a 5,000 square-mile service territory in the Houston 
metropolitan area—mustered resources, created staging sites; and transported, housed, and fed 
the people needed for response and restoration (approximately 3,500 resources). 251 Over the 
course of the 5-day event more than 1 million customers lost power, but CenterPoint experienced 
only 200,000 people without power at any one time. 

• The use of smart meters enabled constant metering and outage tracking during and after the 
storm. When crews were unable to go into the field after the storm, meters provided constant 
power updates enabling power utilities to accurately report to customers, the media, regulators, 
and legislators about outages and power restoration in real-time, sometimes through social media. 
This type of response is dependent on working communications. 

• Investments in hardening before a disaster make a difference. For example, Florida Power and 
Light (FPL) spent billions to harden its infrastructure following the 2004 hurricane season when it 
experienced four hurricanes in 44 days (Hurricanes Charley, Frances, Ivan, and Jeanne). 252 FPL was 
worked with its regulators and conducted outreach with customers as part of the process. 

o Hurricane Irma was a Category 4 storm, which was 1.5 times stronger than a previously 
devastating storm that caused an average of 8 days until power restoration. After Hurricane 
Irma, the average FPL customer in Florida had power back after 5 days, the fastest 
restoration of the largest amount of people by one utility in U.S. history. 253 For the service 
territory, every day customers are without power results in $1 billion of economic loss. For 
average customers there were 3 days less outages; those three days saved $3 billion of 
economic loss. 

B. FEMA Lessons Learned 

In its 2017 Hurricane Season After-Action Report, FEMA found that the 2017 hurricanes and wildfires 
highlighted some longstanding issues and revealed other emerging response and recovery challenges. For 
example, the concurrent timing and scale of the disaster damages nationwide caused shortages in available 
debris removal contractors and delays in removing disaster debris—a key first step in recovery. In addition, 
FEMA's available workforce was overwhelmed by the response needs. 254 

During the 2017 response, a Power Task Force—with representatives from FEMA, DOE, USACE, the private 
sector, and local government—was stood up to discuss ongoing issues and serve as an operational team 
during an event as a way to respond more effectively and efficiently. The AAR highlighted the need to 
continue this collaborative, steady state partnership. 

FEMA also incorporated lessons learned from 2017 into its 2018-2022 Strategic Plan, which outlines the 
agency's path forward for improving emergency response. FEMA highlighted a key lesson learned is that the 
most effective strategy for emergency management is when it is federally supported, state managed, and 
locally executed. 255 As mentioned in Appendix D, FEMA identified 3 strategic goals and 12 supporting 
objectives to guide efforts in the coming years. 
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253 "FPL completes service restoration to more than 4.4 million customers impacted by historic Hurricane Irma," Press release, September 22, 2017. 
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Other lessons learned that were highlighted in the plan, include: 

• All levels of governments need to be better prepared with their own supplies, have pre¬ 
positioned contracts with enforcement mechanisms, and be ready for the economic effects of a 
disaster. This includes developing a more comprehensive understanding of local, regional, and 
national supply chains, as well as stronger relationships with critical private sector partners to 
support rapid restoration in response to catastrophic incidents. 256 

• Plans are based on the best information available, but no disaster follows the plan. Every response 
requires adaptation, which is why flexible authorities and programs are important. For example, 
FEMA's plans did not anticipate the massive requirements to directly assist electricity, 
telecommunications, and fuel sector utilities with air and sea movement for response and recovery 
efforts in Puerto Rico. FEMA needs to support states to build a greater capacity to respond to small- 
scale events, without an oversized federal response by providing financial assistance to state- 
managed disasters. 257 

• Critical infrastructure owners and operators, and state and local governments, should be 
encouraged to invest in more resilient infrastructure. This includes investment in pre-disaster 
mitigation opportunities, such as up-to-date building codes and hurricane resilient building 
materials. 258 Investments in hardening infrastructure and ensuring it is well-maintained can help 
reduce the severity of storm impacts and help areas recover and restore power faster. 

• Private companies working collaboratively can make a huge impact in response and recovery 
efforts. A lack of knowledge or awareness about interdependencies and cascading effects can delay 
response and recovery. The private sector, which has a greater knowledge of day-to-day operational 
needs, should be engaged from the beginning. For example in Puerto Rico, the power outage caused 
water pumps to shut off 259 and water testing labs to lose power, which causing further delays in 
accessing safe, potable water. 260 

• Mutual aid contracts should be established prior to an event, with details such as cost and timing 
decided ahead of time, so recovery and restoration can begin without delays. Standardized 
contracts should be integrated under one umbrella that is applicable across states and the public 
and private sectors. For example, New York already has this type of contract between states, which 
is why after Superstorm Sandy resources were organized more efficiently for response and recovery 
efforts. 261 

• Federal coordination with other federal, local, and volunteer emergency partners before an event 
occurs cuts down on response time. FEMA coordinated closely with Texas, Florida, and California 
emergency management officials and other federal, local, and volunteer emergency partners to 
implement emergency preparedness actions prior to the 2017 disasters. This helped overcome a 
number of challenges such as deploying a sufficient and adequately-trained disaster workforce and 
removing debris in a timely manner after the 2017 hurricanes and wildfires cutting down on the 
overall time for response. 262 


256 FEMA, 2018-2022 Strategic Plan, 2018. 

257 Ibid. 
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C. Looking Ahead 

While communities continue to recover from these events, FEMA has already started implementing its 
recommendations from the after-action report and its strategic plan. One such recommendation, is the 
update to the NRF to focus more on critical lifelines and cross-sector coordination (See Appendix D for more 
information). 
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